Re: why do iceweasel et al have more frequent security issues?

[Ron Johnson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/26/07 23:05, Erik Persson wrote:
[snip]
> As long as nobody is interested in exploiting the konq bugs and everyone
> wants to exploit the firefox bugs, I will be more secure using konq even
> if there are more flaws in konq. Security when using a browser has to do

There are some flaws (XSS pops instantly to mind) that both FF & IE
suffer from, but for different reasons.

If konq also suffers from these kinds of flaws, then you *are* just
as vulnerable.

- --
Ron Johnson, Jr.
Jefferson LA  USA

Give a man a fish, and he eats for a day.
Hit him with a fish, and he goes away for good!

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGqZBeS9HxQb37XmcRAqB1AKC/InVBncl986dYkp7HZ+JtY5XbfQCeIUW1
owBO9cl1Xlv1I4oSX552tKw=
=gWKL
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Boinc Clients Niceness

[David Baron]

On Friday 27 July 2007, [EMAIL PROTECTED] wrote:
> Here's setiathome nice and prio :
> [EMAIL PROTECTED]:/donnees/programmes/BOINC$ ps -o pid,cmd,nice,pri -p 5219
>    PID CMD                          NI PRI
>   5219 setiathome-5.12.i686-pc-lin  19   5
>
> So :
> 1) Prio does not mean what I thought ;-)
> 2) Nice value for the process which handle the computation are at the
> maximum value.'

Problem is that is does not stay that way. Changes with new "work unit" and I 
even saw this kick down to nice 0 within the same work unit. At least the 
"optimized" version I use 5.17. (5.12 fails strangely on my system so may not 
have run long enough to show this problem.)

Re: how to ssh to a linux box from an internet cafe

[Kevin Mark]

On Wed, Jul 25, 2007 at 05:14:22PM +0300, Nick Demou wrote:
> I'll soon be on vacations without my PC. I believe that internet
> access from an internet cafe will be my best option. If things go for
> the worse how can I ssh to my debian server?
> I suppose that a PC in most internet cafes will be willing to download
> and run putty.exe but am I right? If not is there any other option?
Just to mention the obvious, most access is through client-server
programs like ssh. So, before you leave, you need to install the ssh
server on your home machine, then test it with the ssh client program on
localhost first and if you have a chance, from a remote host. If not a
client-server program, then maybe a web-based control panel, although
then you have to install apache and make sure that works remotely then.
-K
-- 
|  .''`.  == Debian GNU/Linux == |   my web site:   |
| : :' :  The  Universal |mysite.verizon.net/kevin.mark/|
| `. `'  Operating System| go to counter.li.org and |
|   `-http://www.debian.org/ |be counted! #238656   |
|  my keyserver: subkeys.pgp.net | my NPO: cfsg.org |
|join the new debian-community.org to help Debian!  |
|___  Unless I ask to be CCd, assume I am subscribed ___|


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: why do iceweasel et al have more frequent security issues?

[Andrew Sackville-West]

On Fri, Jul 27, 2007 at 04:49:41AM +0200, Erik Persson wrote:
> Andrew Sackville-West wrote:
>> On Thu, Jul 26, 2007 at 10:52:07PM +0200, Erik Persson wrote:
>>> Anyhow, the basic fact that there is fewer security alerts in Konq makes 
>>> this a more secure browser, whether this maybe is because only of a 
>>> smaller user base or not.
>> I'm sorry, and i hate to argue with people, but this last statement
>> just doesn't fly with me. security alerts are the result of someone
>> finding a security problem and reporting it. The fact that fewer
>> security alerts exist does _NOT_ mean that konq is more secure. It
>> only means it has fewer reported security problems. Now it _could_ be
>> that this is because there actually _are_ fewer security problems, but
>> it could _also_ be because no one has _found_ or reported
>> problems. There's an important distinction there.  
>
> The assumption is of course that there is no significant difference in the 
> ratio of reported security issues to discovered security issues, and I 
> can't see any reason those should differ.

I can't see any reason why they _should_ differ either, but it is
entirely possible that they do and that's the point.

It boils down to this argument you stated:

"Anyhow, the basic fact that there is fewer security alerts in
Konq make this a more secure browser"

and that's ridiculous. It doesn't make it a mroe secure browser. It
makes it a browser with fewer reported security alerts. period. There
_may_ be other issues involved and it in fact _may_ be a more secure
browser, but that is not necessarily because it has fewer alerts.

The relationship between reported bugs in one piece of software versus
another is directly related to how many of those bugs have been found,
not how many bugs there are. True, there is a relationship between the
number found and the number that exist, but that doesn't mean that
because one has fewer reported bugs that it has fewer bugs. That is,
the number found will always be equal to or less than the number that
actually exist. But that is all you can know about the number of bugs
in a piece of software -- it has exactly or more than the number
reported. One piece of software could have 1000 bugs with one reported
while another piece could have 100 bugs with 99 reported. According to
your statement, the software with the 1 reported bug has fewer bugs
than the one with 99 reported but that's not necessarily true. 

You can only know one thing about the number of bugs in a piece of
software and that is the number of _reported_ bugs.

>
> Anyhow, it is more likely that a browser with more reported security issues 
> have more discovered security issues. And it is also more likely that a 
> browser with more discovered security issues have more security issues. 
> Both, of course, under the assumption that there is no information that 
> changes this.


yes yes yes... _likely_ sure... given a reasonable assumption that the
number of users, testers and coders involved are sufficient to
effectively test the software, then yes, the one with more reported
issues _may_ be less secure. But that's not what you said. You said
the fact that Konq had fewer reported problems makes it more
secure. You didn't say likely, or reasonable assumed to
be... important distinction.

>
>> WARNING! CAR ANALOGY!
>> if we have two cars parked side-by-side and mine is stolen (I'll
>> take the fall for this analogy ;) and yours is not, does that mean
>> that your car is more secure? no. it means someone looked for a way
>> into my car and exploited it. maybe they never even looked at your
>
> It also mean that it is more likely that your car is less secure. 

...

> If you have 10 cars of type A and 5 of type B and 2 A cars, and one B car 
> was stolen, you should guess, if no more information was available, that 
> the cars were about equally secure. No, if you have 10 A cars, and 5 B 
> cars, and 1 A car was stolen and 4 B cars, you should guess that the B cars 
> were less secure.

no. you _could_ guess that. But it is equally valid to guess that car
B's, being rarer cars are more desireable and therefore more likely to
be stolen. 

> Now, if you have x A cars and y B cars and you don't know x and y, but you 
> know that more A cars are stolen, it is more likely that the A cars are 
> less secure, since there is no reason to believe that x
> is larger than y, than believing the opposite.

no, again, you could believe that, but its equally valid to believe
that A cars getting a high price in the chop-shop market. There is
possibly some correlation, but not necessarily a causal relationship
between security and the numbers stolen. There are other factors
involved, just as in software there are other factors: programming
language, skill of the coders, number of testers, fundamental security
of the design, security of the linked libraries et etc etc. 

but cars are a bad analogy, hence my BIG WARNING.

>
>> END CAR ANALOGY!
>> a more pertine

Re: why do iceweasel et al have more frequent security issues?

[Erik Persson]

Ron Johnson wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/26/07 15:52, Erik Persson wrote:

Douglas Allan Tutty wrote:

It seems that the mozilla-derived browsers have security issues
requiring updates far more frequently than other browsers like Konqueror
or links2.

I'm curious as to why this is.  Does anyone have any ideas? 
I'm on dialup and switched to Konq for this very reason but sometimes I

have a website that doesn't work and its handy to see if iceweasel will
view it.  (so far the only one is the adobe flashplayer test page).

Doug.

As you can see from the other answers, nobody has a clue if the
mozilla-based browsers are less secure than the konq or not. I haven't
inspected the code either, so I don't have any more facts than anyone
else. I do NOT agree with the other answers however.

If there are fewer security alerts with Konq the only reasonable
conclusion, if you don't have strong facts pointing the other way, is
that Konq is more secure, and that this is partly because of better
code. The larger userbase of Firefox is very likely to generate a larger
number of discovered security issues, but as far as I know, no one can
tell you how many more bugs are generated per user or per extra
programmer, and probably no one can tell you the how user base and
security issue rate correlate more precisely. From this, the most
reasonable conclusion is that Konq is more secure.
Anyhow, the basic fact that there is fewer security alerts in Konq makes
this a more secure browser, whether this maybe is because only of a
smaller user base or not.


That's just not logical.

For example, just because people didn't know about germs in 1825
didn't mean that they didn't exist.


That's just the point. You can't be sure about firefox being less secure 
- there could be reasons that explains the assumed difference in 
reported security issues and yet firefox being more secure.
However, if we don't know, we can't say. We can only say what we know, 
and what this is likely to represent.
Exactly as it would have been very unwise to argue for the existence of 
germs in 1825 without having some evidence of their existence.


As I said, we must have some strong evidence to argue that the assumed 
larger rate of reported security issues in firefox is not because of 
more security flaws.


If there are fewer reported security issues in konq, the most likely 
explanation is that there are fewer found security issues in konq. If 
there are fewer found security issues in konq, one likely explanation is 
that there are fewer security issues in konq. There are however more 
people using firefox and there are more developers(?) developing 
firefox, but since we have no clue as to how this equates to the above, 
we really can't say much about it other than that it will probably 
decrease the difference to some extent (maybe all the way, maybe to the 
degree that konq is less secure - but we don't know).
As long as nobody is interested in exploiting the konq bugs and everyone 
wants to exploit the firefox bugs, I will be more secure using konq even 
if there are more flaws in konq. Security when using a browser has to do 
with the risk being attacked, not the number of presumed security flaws 
in the code (even if this if one factor that influences the risk of 
being attacked). Is there any reason to believe that people are more 
interested in finding security problems in firefox? yes there is - more 
bugs are found in firefox according to the OP.
What I'm saying here is that the larger user base probably will lead to 
more security issues being found and corrected in firefox, but it will 
also lead to firefox being more of a target, and this will to some 
extent reduce the advantage of having more eyes on the code.


This sounds as if I advocate for security by obscurity, which is not the 
case. In the long run, the code with the larger number of eyes on it 
will be more secure and the better choice from a security standpoint.
In a situation in which one product seems to have more reported security 
flaws than the other, but more users and developers looking at the code, 
the situation is not as easy.



- --
Ron Johnson, Jr.
Jefferson LA  USA


/Erik Persson.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Sarge: Lost # of failed logins

[Andrew Sackville-West]

On Thu, Jul 26, 2007 at 05:52:00PM -0600, Bob Proulx wrote:
> Florian Kulzer wrote:
> > I have been using Debian for about 5 years now. As far as I remember, it
> > always had the "n failure(s) since last login" message (if n was greater
> > than zero).
> 
> I have never seen that message.

it works reliably on this particular up-to-date sid box, shows the
proper number of failures. I think it must come from login, but I
can't see what might cause to happen or not.

> 
> > I never had to do anything to set it up, therefore I
> > unfortunately don't know exactly how it works. My best guess is that it
> > involves some PAM modules which parse /var/log/faillog and/or use the
> > "faillog" command. Maybe this link helps to track it down:
> 
> I always have a ~/.hushlogin.  When I remove it I still never see
> failures.  I see this instead:
> 
>   Last login: Thu Jul 26 17:32:14 2007 from dementia.proulx.com
> 
> If you create a .hushlogin file for you does your login failure
> message at login go away?
> 
>   touch ~/.hushlogin
> 

I see _nothing_ with a ~/.hushlogin and everything: motd, Last login,
failures etc, without ~/.hushlogin


> The sshd uses the presence of .hushlogin to silence the banner.  In
> the sshd man page:
> 
>   1.  If the login is on a tty, and no command has been specified,
>   prints last login time and /etc/motd (unless prevented in the
>   configuration file or by $HOME/.hushlogin; see the FILES section).
> 

I do _not_ get this message over ssh, so it must come from that pair
-- login or getty...

A


signature.asc
Description: Digital signature

Re: Weird partition arrangements and broken GRUB

[Nguyen, Cuong K.]

On 7/26/07, Hamza Saglam <[EMAIL PROTECTED]> wrote:
>
> Hi KC,
>
> Thanks for your suggestions. I have removed the boot flag from sda1
> (while keeping it on sda5) and changed the Windows 'root' to (hd0,4),
> but unfortunately I still get the dreaded 'Filesystem type unknown,
> partition type 0x7' message.
>
I have read somewhere else that Windows could only boot from a primary
> partition, I don't know if that is the issue here but do you think it
> might be related?


Yes, in mine, XP is in primary partition. But after reviewing your table, I
guess you have a bad partition table (I do not see sda4 anywhere). Here is
some suggestions:

1. Try replacing root with rootnoverify in XP partition. So it will read:

   titleMicrosoft Windows XP
   rootnoverify(hd0,4)
   savedefault
   makeactive
   chainloader+1

2. If the above does not work, then you may have bad master boot record. Try
to fix it with Windows XP Installation CD, when booting with the CD, choose
Recovery Mode to go to Console, and try fixboot and fixmbr. Those commands
will try to reset your boot record of XP partition.

Good luck :)

KC.

Someone, through another channel, suggested me to use /dev/sda1's
> bootloader to boot into Windows XP, but seeing that /dev/sda1 contains
> a crippled WinPE recovery application, I don't think it will really
> work.
>
>
> Suggestions would be much appreciated,
>
> Thanks.
>
> On 7/27/07, Nguyen, Cuong K. <[EMAIL PROTECTED]> wrote:
> >
> >
> >
> > On 7/26/07, Hamza Saglam <[EMAIL PROTECTED]> wrote:
> > >
> > > Hi,
> > >
> > > After reading dozens of GRUB tutorials for a good few hours and not
> > > getting anywhere, I've decided to post on this mailing list regarding
> > > my problem. If it has been covered before please pardon me, I really
> > > can't see it :(
> > >
> > > Now before I start, I'd like to point out that we are both debian
> > > users both due to the nature of our work, we have to have a windows
> > > installation on our machines. Sad but true :(
> > >
> > > A friend of mine brought in his laptop after he said he couldn't get
> > > 'windows booting', and when I had a look at the partition table using
> > > gparted, I was presented with the following monstrosity:
> > >
> > > screenshot:
> > > http://***image.***bayimg.***com/oaeikaabk.jpg
> > > (please get rid of the 9 stars, the mailing list wouldn't accept my
> > > message without these)
> > >
> > >
> > > (for the text based readers), it looks a bit like:
> > > /dev/sda1fat32(boot)
> > > /dev/sda2extended(lba)
> > > /dev/sda5ntfs(boot)
> > > /dev/sda6linux-swap
> > > /dev/sda3ext3
> > >
> > > The first fat32 partition is the recovery files that came with the
> > > laptop, the rest is a bit of mess really :)
> > >
> > > Relevant bits from /boot/grub/menu.lst:
> > >
> > > titleDebian GNU/Linux, kernel 2.6.18-4-686
> > > root(hd0,2)
> > > kernel/boot/vmlinuz-2.6.18-4-686
> > root=/dev/sda3 ro
> > > initrd/boot/initrd.img- 2.6.18-4-686
> > > savedefault
> > >
> > > titleDebian GNU/Linux, kernel 2.6.18-4-686 (single-user
> mode)
> > > root(hd0,2)
> > > kernel/boot/vmlinuz- 2.6.18-4-686
> > root=/dev/sda3 ro single
> > > initrd/boot/initrd.img- 2.6.18-4-686
> > > savedefault
> > >
> > > titleMicrosoft Windows XP
> > > root(hd0,3)
> > > savedefault
> > > makeactive
> > > chainloader+1
> > >
> > > title   Acer eRecovery Management
> > >   root(hd0,0)
> > > savedefault
> > > makeactive
> > > chainloader +1
> > >
> > >
> > > I've tried all the possible combinations for the root directive of the
> > > Windows section, but it doesn't want to load windows.
> > >
> > > Is there any way I can address the ntfs partition within that extended
> > > partition, or do I need to modify the structure. (I'd very much prefer
> > > not changing the structure, even though it is quite messy)
> > >
> > >
> > > I am stuck so any help would be much appreciated.
> > >
> > > Many thanks.
> > > Hamza
> > >
> > >
> > > --
> > > To UNSUBSCRIBE, email to
> > [EMAIL PROTECTED]
> > > with a subject of "unsubscribe". Trouble? Contact
> > [EMAIL PROTECTED]
> > >
> > >
> >
> > If you look at my partition table, you may call it "messier" or
> "weirder":
> >
> > Disk /dev/sda: 100.0 GB, 100030242816 bytes
> > 255 heads, 63 sectors/track, 12161 cylinders
> > Units = cylinders of 16065 * 512 = 8225280 bytes
> >
> >Device Boot  Start End  Blocks   Id  System
> > /dev/sda1   1 784 6297448+  12  Compaq
> diagnostics
> > /dev/sda2   * 7853356206595907  HPFS/NTFS
> > /dev/sda34507   1216161488787+   f  W95 Ext'd (LBA)
> > /dev/sda433574506 92373757  HPFS/NTFS
> > /dev/sda54507706420547103+  83  Linux
> > /dev/sd

Re: why do iceweasel et al have more frequent security issues?

[Erik Persson]

Andrew Sackville-West wrote:

On Thu, Jul 26, 2007 at 10:52:07PM +0200, Erik Persson wrote:

Anyhow, the basic fact that there is fewer security alerts in Konq makes 
this a more secure browser, whether this maybe is because only of a smaller 
user base or not.


I'm sorry, and i hate to argue with people, but this last statement
just doesn't fly with me. security alerts are the result of someone
finding a security problem and reporting it. The fact that fewer
security alerts exist does _NOT_ mean that konq is more secure. It
only means it has fewer reported security problems. Now it _could_ be
that this is because there actually _are_ fewer security problems, but
it could _also_ be because no one has _found_ or reported
problems. There's an important distinction there.  


The assumption is of course that there is no significant difference in 
the ratio of reported security issues to discovered security issues, and 
I can't see any reason those should differ.


Anyhow, it is more likely that a browser with more reported security 
issues have more discovered security issues. And it is also more likely 
that a browser with more discovered security issues have more security 
issues. Both, of course, under the assumption that there is no 
information that changes this.




WARNING! CAR ANALOGY!

if we have two cars parked side-by-side and mine is stolen (I'll
take the fall for this analogy ;) and yours is not, does that mean
that your car is more secure? no. it means someone looked for a way
into my car and exploited it. maybe they never even looked at your


It also mean that it is more likely that your car is less secure. It is 
not much data to do reliable statistics on, but since we have some data 
and it points towards your car being less secure, that would also be the 
best guess. It may not be the correct guess, but it will be the best guess.
Let's say we have 10 cars of type A parked along 10 cars of type B, and 
there is 8 stolen cars of type A and only one of type B. Then you should 
guess, if no more information was available, that car type A was less 
secure.
If you have 10 cars of type A and 5 of type B and 2 A cars, and one B 
car was stolen, you should guess, if no more information was available, 
that the cars were about equally secure. No, if you have 10 A cars, and 
5 B cars, and 1 A car was stolen and 4 B cars, you should guess that the 
B cars were less secure.
Now, if you have x A cars and y B cars and you don't know x and y, but 
you know that more A cars are stolen, it is more likely that the A cars 
are less secure, since there is no reason to believe that x

is larger than y, than believing the opposite.


END CAR ANALOGY!

a more pertinent fake example.

programmer X finds a security hole in konq that when visiting a
carefully crafted website, allows remote execution of code, privilege
escalation and ultimately results in a box getting
rooted. okay. that's obviously a security problem. but programmer X
doesn't report this problem and no security alert is issued.  


programmer Y finds a security hole in mozilla that allows an already
installed plugin at a certain version to escalate its own privileges and as a 
result
download and save a piece of code to disk with the name
"execute_me". Now if the user happens to see that file and thinks,
hmmm... I wonder what that is and executes it (after chmod +x) it does
a rm -rf on their home. programmer y reports this security hole and a
security alert is made detailing the problem. 


now, clearly, the konq vulnerability is *much* more of a security risk
than the mozilla error, right? the mozilla one requires the plugin be
already installed and the right version and then requires the user to
actually chmod and execute the thing. the konq one just requires the
user to visit a carefully crafted website. 


If this would be the case in the mozilla vs konq situation, you have to 
explain to me why:

1) konq security issues should be reported at a lower ratio
2) why security issues in konq are more severe
eg. why there should be reason to believe that there is a statistically 
significant bias between the browsers in factors such as reporting 
security issues and severity of security issues.


I can see no reason to believe one or the other. I just look at the 
facts - there are less security issues reported for konq. The only 
reasonable conclusion is that konq is more secure.



but based on what you've written above, because the mozilla one was
reported, then mozilla is less secure than konq. that doesn't add
up. And in fact, in my fake example above, the lack of security alert
makes konq even more of a security problem because 1) the right devs
might not know about the problem to issue a patch and 2) the public
doesn't know about the problem to avoid it until a patch comes along.


As I stated above, you have to explain how this constructed example 
could have any impact at all on the real mozilla vs konq case.


Do you really mean that there 

Re: Weird partition arrangements and broken GRUB

[Hamza Saglam]

Hi KC,

Thanks for your suggestions. I have removed the boot flag from sda1
(while keeping it on sda5) and changed the Windows 'root' to (hd0,4),
but unfortunately I still get the dreaded 'Filesystem type unknown,
partition type 0x7' message.

I have read somewhere else that Windows could only boot from a primary
partition, I don't know if that is the issue here but do you think it
might be related?

Someone, through another channel, suggested me to use /dev/sda1's
bootloader to boot into Windows XP, but seeing that /dev/sda1 contains
a crippled WinPE recovery application, I don't think it will really
work.


Suggestions would be much appreciated,

Thanks.

On 7/27/07, Nguyen, Cuong K. <[EMAIL PROTECTED]> wrote:
>
>
>
> On 7/26/07, Hamza Saglam <[EMAIL PROTECTED]> wrote:
> >
> > Hi,
> >
> > After reading dozens of GRUB tutorials for a good few hours and not
> > getting anywhere, I've decided to post on this mailing list regarding
> > my problem. If it has been covered before please pardon me, I really
> > can't see it :(
> >
> > Now before I start, I'd like to point out that we are both debian
> > users both due to the nature of our work, we have to have a windows
> > installation on our machines. Sad but true :(
> >
> > A friend of mine brought in his laptop after he said he couldn't get
> > 'windows booting', and when I had a look at the partition table using
> > gparted, I was presented with the following monstrosity:
> >
> > screenshot:
> > http://***image.***bayimg.***com/oaeikaabk.jpg
> > (please get rid of the 9 stars, the mailing list wouldn't accept my
> > message without these)
> >
> >
> > (for the text based readers), it looks a bit like:
> > /dev/sda1fat32(boot)
> > /dev/sda2extended(lba)
> > /dev/sda5ntfs(boot)
> > /dev/sda6linux-swap
> > /dev/sda3ext3
> >
> > The first fat32 partition is the recovery files that came with the
> > laptop, the rest is a bit of mess really :)
> >
> > Relevant bits from /boot/grub/menu.lst:
> >
> > titleDebian GNU/Linux, kernel 2.6.18-4-686
> > root(hd0,2)
> > kernel/boot/vmlinuz-2.6.18-4-686
> root=/dev/sda3 ro
> > initrd/boot/initrd.img- 2.6.18-4-686
> > savedefault
> >
> > titleDebian GNU/Linux, kernel 2.6.18-4-686 (single-user mode)
> > root(hd0,2)
> > kernel/boot/vmlinuz- 2.6.18-4-686
> root=/dev/sda3 ro single
> > initrd/boot/initrd.img- 2.6.18-4-686
> > savedefault
> >
> > titleMicrosoft Windows XP
> > root(hd0,3)
> > savedefault
> > makeactive
> > chainloader+1
> >
> > title   Acer eRecovery Management
> >   root(hd0,0)
> > savedefault
> > makeactive
> > chainloader +1
> >
> >
> > I've tried all the possible combinations for the root directive of the
> > Windows section, but it doesn't want to load windows.
> >
> > Is there any way I can address the ntfs partition within that extended
> > partition, or do I need to modify the structure. (I'd very much prefer
> > not changing the structure, even though it is quite messy)
> >
> >
> > I am stuck so any help would be much appreciated.
> >
> > Many thanks.
> > Hamza
> >
> >
> > --
> > To UNSUBSCRIBE, email to
> [EMAIL PROTECTED]
> > with a subject of "unsubscribe". Trouble? Contact
> [EMAIL PROTECTED]
> >
> >
>
> If you look at my partition table, you may call it "messier" or "weirder":
>
> Disk /dev/sda: 100.0 GB, 100030242816 bytes
> 255 heads, 63 sectors/track, 12161 cylinders
> Units = cylinders of 16065 * 512 = 8225280 bytes
>
>Device Boot  Start End  Blocks   Id  System
> /dev/sda1   1 784 6297448+  12  Compaq diagnostics
> /dev/sda2   * 7853356206595907  HPFS/NTFS
> /dev/sda34507   1216161488787+   f  W95 Ext'd (LBA)
> /dev/sda433574506 92373757  HPFS/NTFS
> /dev/sda54507706420547103+  83  Linux
> /dev/sda670657203 1116486   82  Linux swap / Solaris
> /dev/sda7   11974   12161 1510078+  82  Linux swap / Solaris
> /dev/sda87204963519535008+  83  Linux
> /dev/sda99636   1197318779953+  83  Linux
>
> Partition table entries are not in disk order
>
> And here is the menu.lst
>
>  ## ## End Default Options ##
>
> titleUbuntu, kernel 2.6.20-16-generic
> root(hd0,7)
> kernel/boot/vmlinuz-2.6.20-16-generic root=/dev/sda8 ro quiet splash
> initrd/boot/initrd.img-2.6.20-16-generic
> quiet
> savedefault
>
> titleUbuntu, kernel 2.6.20-16-generic (recovery mode)
> root(hd0,7)
> kernel/boot/vmlinuz-2.6.20-16-generic root=/dev/sda8 ro single
> initrd/boot/initrd.img- 2.6.20-16-generic
>
> titleUbuntu, kernel 2.6.20-15-generic
> root(hd0,7)
> kernel/boot/vmlinuz-2.6.20-15-generic
> root=UUI

Re: Stability issues

[Douglas Allan Tutty]

On Thu, Jul 26, 2007 at 09:50:02PM -0400, Mike Robinson wrote:
> Douglas Allan Tutty wrote:
> >Just curious: why not amd64?  I'm running it on my Athlon64 3800+.  The
> >_only_ thing I need 32-bit for is adobe flashplayer, for which I run a
> >chroot for the browser.  That problem is fixed in Lenny/Sid but I didn't
> >want to go that route.  After having done it, setting up the chroot was
> >rather simple and schroot makes running it a breeze.
> 
> Can the binary nVidia video driver still be used in the 64-bit 
> distribution?  If
> so, I may try the amd64 route.  The only thing I'd have to investigate is 
> if there
> are any issues compiling MythTV for 64-bit.

I'm using the nVidia pre-packaged debian stuff (its pre-built for Etch,
as opposed to needing m-a for Sid).  I have the kernel meta-package and
the nvidia-kernel meta-packages installed so when one is updated, so is
the other.  I get a much clearer picture and less CPU usage when
watching DVDs full-screen, deinterlaced blend with the nvidia driver.

I haven't tried MythTV since I only get three channels of poor quality.
I use VLC for watching DVDs and listening to audio streams (e.g. CBC
radio archives).  Ensure that you have debian-multimedia in your
sources.list.  Note that I see lots of mythtv packages in aptitude.

Doug.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Where is Lame in Sarge?

[Hal Vaughan]

On Thursday 26 July 2007, Bob Proulx wrote:
> Hal Vaughan wrote:
> > I know there's an issue with MySQL and permissions with an easy
> > work around, but other than that, I want to have time to check out
> > known issues before I upgrade a server.
>
> Wise plan.  In fact setting up a Sarge machine as a victim for
> upgrade testing to Etch is a good idea.

That's a possibility.  I'd duplicate the list of packages on the server 
and test it that way.  Of course, I couldn't do a *real* test unless I 
made sure all the programs were in use, which would mean a drop in 
replacement, which ain't going to happen unless I can replace a mostly 
full 300GB RAID (and most of that is my ripped CD collection -- just 
got a Squeezebox and installed Slimserver so I could listen to them 
outside the office).

> For servers the upgrade for me has gone quite easily.  For desktops
> the biggest problem has been the name changes for many web browser
> plugins and also the movement of GNU FDL licensed documentation into
> non-free.  This means I have had to add non-free to my sources where
> this was not previously needed and also needed to specifically
> install many of the now non-free documentation packages that were
> split out.

In some ways server management can be much easier than a desktop.  I'm 
rarely adding anything and once it's stabilized, there's not much that 
changes.  I'm not worried about docs or anything like that on the 
server because I can use them on my workstation, which is Ubuntu 
because I like newer versions of eye candy.

> > On the other hand, what's the expected release date for Lenny going
> > Stable?  With Etch going Stable in April, I figure I still have
> > another 8 - 9 months before Lenny is stable.  :-)
>
> You are an optimist thinking 8-9 months!  I think you have plenty of
> time well past that.  Perhaps I should have said before security
> upgrades for Sarge are discontinued.  That will almost certainly
> happen before Lenny releases.  :-)

I said 8-9 months because I was being diplomatic and didn't want to 
offend any of the few DDs left on the list!  I figure I'll get the main 
server, which does file, print, dns, and audio serving (and a few other 
things like that) first, since that's less complex and all the services 
are easy to replace.  The other is my work system, which is also a 
development system for the business (I can't afford to do it on 2 
separate systems) and that would be a mess if things didn't upgrade 
smoothly.

Hal



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: laptop keyboard settings in debian etch

[Jude DaShiell]

Have you run tasksel and selected the laptop option yet?  If not doing 
that may make life a little better.  I just got a Dell latitude c810 last 
night with no operating system on it and I'm going to put a form of Debian 
Linux on it.  So this is something close to my first exposure to laptops.





--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Weird partition arrangements and broken GRUB

[Nguyen, Cuong K.]

On 7/26/07, Hamza Saglam <[EMAIL PROTECTED]> wrote:


Hi,

After reading dozens of GRUB tutorials for a good few hours and not
getting anywhere, I've decided to post on this mailing list regarding
my problem. If it has been covered before please pardon me, I really
can't see it :(

Now before I start, I'd like to point out that we are both debian
users both due to the nature of our work, we have to have a windows
installation on our machines. Sad but true :(

A friend of mine brought in his laptop after he said he couldn't get
'windows booting', and when I had a look at the partition table using
gparted, I was presented with the following monstrosity:

screenshot:
http://***image.***bayimg.***com/oaeikaabk.jpg
(please get rid of the 9 stars, the mailing list wouldn't accept my
message without these)


(for the text based readers), it looks a bit like:
/dev/sda1fat32(boot)
/dev/sda2extended(lba)
/dev/sda5ntfs(boot)
/dev/sda6linux-swap
/dev/sda3ext3

The first fat32 partition is the recovery files that came with the
laptop, the rest is a bit of mess really :)

Relevant bits from /boot/grub/menu.lst:

titleDebian GNU/Linux, kernel 2.6.18-4-686
root(hd0,2)
kernel/boot/vmlinuz-2.6.18-4-686 root=/dev/sda3 ro
initrd/boot/initrd.img- 2.6.18-4-686
savedefault

titleDebian GNU/Linux, kernel 2.6.18-4-686 (single-user mode)
root(hd0,2)
kernel/boot/vmlinuz-2.6.18-4-686 root=/dev/sda3 ro single
initrd/boot/initrd.img- 2.6.18-4-686
savedefault

titleMicrosoft Windows XP
root(hd0,3)
savedefault
makeactive
chainloader+1

title   Acer eRecovery Management
  root(hd0,0)
savedefault
makeactive
chainloader +1


I've tried all the possible combinations for the root directive of the
Windows section, but it doesn't want to load windows.

Is there any way I can address the ntfs partition within that extended
partition, or do I need to modify the structure. (I'd very much prefer
not changing the structure, even though it is quite messy)


I am stuck so any help would be much appreciated.

Many thanks.
Hamza


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]



If you look at my partition table, you may call it "messier" or "weirder":

Disk /dev/sda: 100.0 GB, 100030242816 bytes
255 heads, 63 sectors/track, 12161 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

  Device Boot  Start End  Blocks   Id  System
/dev/sda1   1 784 6297448+  12  Compaq diagnostics
/dev/sda2   * 7853356206595907  HPFS/NTFS
/dev/sda34507   1216161488787+   f  W95 Ext'd (LBA)
/dev/sda433574506 92373757  HPFS/NTFS
/dev/sda54507706420547103+  83  Linux
/dev/sda670657203 1116486   82  Linux swap / Solaris
/dev/sda7   11974   12161 1510078+  82  Linux swap / Solaris
/dev/sda87204963519535008+  83  Linux
/dev/sda99636   1197318779953+  83  Linux

Partition table entries are not in disk order

And here is the menu.lst

## ## End Default Options ##

titleUbuntu, kernel 2.6.20-16-generic
root(hd0,7)
kernel/boot/vmlinuz-2.6.20-16-generic root=/dev/sda8 ro quiet splash
initrd/boot/initrd.img-2.6.20-16-generic
quiet
savedefault

titleUbuntu, kernel 2.6.20-16-generic (recovery mode)
root(hd0,7)
kernel/boot/vmlinuz-2.6.20-16-generic root=/dev/sda8 ro single
initrd/boot/initrd.img-2.6.20-16-generic

titleUbuntu, kernel 2.6.20-15-generic
root(hd0,7)
kernel
/boot/vmlinuz-2.6.20-15-genericroot=UUID=3ce886e2-7b3d-4803-ba0e-19a605fb1153
ro quiet splash break=top
initrd/boot/initrd.img-2.6.20-15-generic
quiet
savedefault

titleUbuntu, kernel 2.6.20-15-generic (recovery mode)
root(hd0,7)
kernel
/boot/vmlinuz-2.6.20-15-genericroot=UUID=3ce886e2-7b3d-4803-ba0e-19a605fb1153
ro single
initrd/boot/initrd.img-2.6.20-15-generic

titleUbuntu, memtest86+
root(hd0,7)
kernel/boot/memtest86+.bin
quiet

### END DEBIAN AUTOMAGIC KERNELS LIST

# This is a divider, added to separate the menu items below from the Debian
# ones.
titleOther operating systems:
root


# This entry automatically added by the Debian installer for a non-linux OS
# on /dev/hda1
titleWindows NT/2000/XP Recovery
root(hd0,0)
savedefault
makeactive
chainloader+1


# This entry automatically added by the Debian installer for a non-linux OS
# on /dev/hda2
titleMicrosoft Windows XP Professional
root(hd0,1)
savedefault
makeactive
chainloader+1


# This entry automatically added by the Debian installer for an existing
#

Re: Stability issues

[Mike Robinson]

Douglas Allan Tutty wrote:

Just curious: why not amd64?  I'm running it on my Athlon64 3800+.  The
_only_ thing I need 32-bit for is adobe flashplayer, for which I run a
chroot for the browser.  That problem is fixed in Lenny/Sid but I didn't
want to go that route.  After having done it, setting up the chroot was
rather simple and schroot makes running it a breeze.


Can the binary nVidia video driver still be used in the 64-bit distribution?  If
so, I may try the amd64 route.  The only thing I'd have to investigate is if 
there
are any issues compiling MythTV for 64-bit.

-Mike



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: dir command

[Agricolae Maximus]

 Ron Johnson([EMAIL PROTECTED]) is reported to have said:
 > On 07/15/07 09:50, Manon Metten wrote:
 > > Hi,
 > > 
 > > Is there a bash command available that shows the contents of the
 > > given dir recursively, telling me how many files are in there and
 > > the byte size occupied?
 <>
 >

Hey Ron! 
 > This is what I wrote to solve a similar problem:
 > 
 > http://members.cox.net/ron.l.johnson/pydir
 > 
 This is pretty slick.  Sure saves a few keystrokes - thanks!
 
   ~A~

-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: saving package selections (Stability issues)

[Owen Heisler]

On Thu, Jul 26, 2007 at 08:14:23PM -0400, Douglas Allan Tutty wrote:
> On Thu, Jul 26, 2007 at 04:07:59PM -0700, Andrew Sackville-West wrote:
> > if you are only installing the tasksel selections and not adding
> > additional software, then there is no reason to do this. I just know
> > that if I had to reinstall my current machine, I'd want to pull a list
> > of what was installed as I've got a couple years of built-up stuff on
> > here and wouldn't want to hassle with trying to remember it all. 
> 
> I use aptitude which keeps track of packages that I requested for
> install vs those installed to meet dependancies.  In my backups, I keep
> both the dpkg --get-selections but also aptitude search '~i!~M' which
> gives me the names of packages that are installed (~i) that are not (!)
> automatically installed (~M).

I prefer to add a few more steps in order to:
a. save versions, like for mixed stable/testing/unstable systems, yet be
   friendly to version changes
b. install exactly the packages I have selected as auto-installed
   (recommends makes this a bit more tricky, when used)
c. keep all essential-marked packages


== Saving the package selections ==
1. Save list of all installed packages:
# aptitude -F "%?p" search \~i >| aptitude-installed

2. Same as previous but with versions:
# aptitude -F "%?p=%?V" search \~i | sed 's/ //g' >| aptitude-installed-ver

3. Save list of the packages that have been automatically installed:
# aptitude -F "%?p" search \~i\~M >| aptitude-autoinstalled


== Applying package selections ==
1. Make sure /etc/apt/sources.list and /etc/apt/preferences are correct
   and update the lists:
# aptitude update

2. Select essential packages for installation, unmarkauto them, and
   markauto non-essential packages:
# aptitude -R --schedule-only install `aptitude -F "%?p" search \~E`
# aptitude -R --schedule-only unmarkauto `aptitude -F "%?p" search \~E`
# aptitude -R --schedule-only markauto `aptitude -F "%?p" search \~i\!\~E`

3. Select packages for installation, then apply versions:
# aptitude -R --schedule-only install `cat aptitude-installed`
# aptitude -R --schedule-only install `cat aptitude-installed-ver`

4. Mark auto-installed packages as such:
# aptitude -R --schedule-only markauto `cat aptitude-autoinstalled`

5. Run aptitude interactively, make sure it is doing what it ought, then
   apply either with 'g' or:
# aptitude -y install


There are probably better ways to do some of this.  ...Let me know how I
can improve it.

This is obviously overkill for a lot of people.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: output from nmap

[Jeff D]

On Thu, 26 Jul 2007, PETER EASTHOPE wrote:


Folk,

I can use a little help to understand the following output
from nmap.

As far as I can discern, IOD = Initial Object Descriptor
and EID = Endpoint Identifier.  So does this show that
the UDP packet is getting past IOD #1?  What about
IOD #2?

What are EID 8, EID 18 & etc.?

Thanks, ... Peter E.

newton:~# nmap -sU -p1194 --packet-trace peasthope.yi.org

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-07-25 08:18 PDT
SENT (5.1360s) ICMP 137.82.26.91 > 139.142.97.80 Echo request (type=8/code=0) 
ttl=59 id=24449 iplen=28
SENT (5.1360s) TCP 137.82.26.91:43568 > 139.142.97.80:80 A ttl=43 id=18482 
iplen=40 seq=4225371038 win=4096 ack=324668318
RCVD (5.1380s) TCP 139.142.97.80:80 > 137.82.26.91:43568 RA ttl=255 id=54305 
iplen=40 seq=324668318 win=4096 ack=4225371038
NSOCK (5.2490s) UDP connection requested to 137.82.1.1:53 (IOD #1) EID 8
NSOCK (5.2490s) Read request from IOD #1 [137.82.1.1:53] (timeout: -1ms) EID 18
NSOCK (5.2500s) UDP connection requested to 137.82.26.240:53 (IOD #2) EID 24
NSOCK (5.2500s) Read request from IOD #2 [137.82.26.240:53] (timeout: -1ms) EID 
34
NSOCK (5.2500s) Write request for 44 bytes to IOD #1 EID 43 [137.82.1.1:53]: 
.80.97.142.139.in-addr.arpa.
NSOCK (5.2510s) nsock_loop() started (timeout=500ms). 5 events pending
NSOCK (5.2520s) Callback: CONNECT SUCCESS for EID 24 [137.82.26.240:53]
NSOCK (5.2520s) Callback: CONNECT SUCCESS for EID 8 [137.82.1.1:53]
NSOCK (5.2520s) Callback: WRITE SUCCESS for EID 43 [137.82.1.1:53]
NSOCK (5.7540s) nsock_loop() started (timeout=500ms). 2 events pending
NSOCK (6.2540s) nsock_loop() started (timeout=500ms). 2 events pending
NSOCK (6.7540s) nsock_loop() started (timeout=500ms). 2 events pending
NSOCK (7.2540s) nsock_loop() started (timeout=495ms). 2 events pending
NSOCK (7.7500s) Write request for 44 bytes to IOD #1 EID 51 [137.82.1.1:53]: 
.80.97.142.139.in-addr.arpa.
NSOCK (7.7510s) nsock_loop() started (timeout=500ms). 3 events pending
NSOCK (7.7510s) Callback: WRITE SUCCESS for EID 51 [137.82.1.1:53]
NSOCK (7.8210s) Callback: READ SUCCESS for EID 18 [137.82.1.1:53] (123 bytes)
NSOCK (7.8210s) Read request from IOD #1 [137.82.1.1:53] (timeout: -1ms) EID 58
SENT (7.8390s) UDP 137.82.26.91:43548 > 139.142.97.80:1194 ttl=59 id=39917 
iplen=28
SENT (7.9440s) UDP 137.82.26.91:43549 > 139.142.97.80:1194 ttl=42 id=61356 
iplen=28
Interesting ports on 139.142.97.80:
PORT STATE SERVICE
1194/udp open|filtered unknown

Nmap finished: 1 IP address (1 host up) scanned in 8.165 seconds
newton:~#



http://carnot.pathology.ubc.ca/




Looks like nmap made a dns request ..

-+-
8 out of 10 Owners who Expressed a Preference said Their Cats Preferred Techno.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: DHCPD giving IP to wrong machine

[Wayne Topa]

Clarence W. Robison([EMAIL PROTECTED]) is reported to have said:
Content-Description: Mail message body
> On 26 Jul 2007 at 16:05, Clarence W. Robison wrote:
> 
> > I have an entry in my dhcp3 dhcpd.conf which says that host xyz with
> > certain MAC address should receive a fixed ip address. The server does
> > not respect that entry and gives the IP address to another host with a
> > different MAC address. I don't quite understand why it, dhcpd, should do
> > that. Is normal behavior?
> > 
> 
> OPPS, the message left before I could paste snippets of the conf file.
>  dhcpd.conf -- # #
> Global Options pid-file-name "/var/run/dhcpd.pid"; lease-file-name
> "/var/lib/dhcp3/dhcpd.leases"; log-facility local1; ignore client-updates;
> ddns-update-style none; option domain-name-servers  XXX.XXX.XXX.3,
> XXX.XXX.XXX.223; default-lease-time  3600; max-lease-time 
> 14400; authoritative; subnet XXX.XXX.XXX.0 netmask
> 255.255.255.192 { # Default Options
>   option routersXXX.XXX.XXX.1;
>   option subnet-mask255.255.255.192;
>   option domain-name".XX.XXX";  
>   option time-offset-25200; # Mountain Standard Time
>   option ntp-serversXXX.XXX.XXX.3, XXX.XXX.XXX.58;
> 
>   range dynamic-bootp   XXX.XXX.XXX.22 XXX.XXX.XXX.60;
> 
>   host xxx {  
> hardware ethernet 00:13:20:2d:31:d1;
> fixed-address XXX.XXX.XXX.22;
>  }
> 
No expert here, but as mine works, and differs from your config I'll
show ehat I had to do.

in my /etc/dhcp3/dhcpd.conf  (not the /etc/dhcpd.conf) I have

host classy {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address 192.168.1.5;
option host-name "classy.mtntop.home";
}

HTH
Wayne

-- 
Warning, keyboard not found. Press Enter to continue.
___


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Sarge: Lost # of failed logins

[Wayne Topa]

Florian Kulzer([EMAIL PROTECTED]) is reported to have said:
> On Thu, Jul 26, 2007 at 13:51:27 -0600, Bob Proulx wrote:
> > Mumia W.. wrote:
> > > I'm using Sarge. When I log in, I no longer get a message telling me the 
> > > # of failed logins.
> > > 
> > > For example, if I try to login but use a wrong password, when I try 
> > > again using the real password, I should see a message saying "1 failed 
> > > login attempts." I no longer get that message.
> > 
> > I personally have never seen such a message.  You must have previously
> > installed or configured something that added that functionality.
> 
> I have been using Debian for about 5 years now. As far as I remember, it
> always had the "n failure(s) since last login" message (if n was greater
> than zero). I never had to do anything to set it up, therefore I
> unfortunately don't know exactly how it works. My best guess is that it
> involves some PAM modules which parse /var/log/faillog and/or use the
> "faillog" command. Maybe this link helps to track it down:
> 
> http://linux.sys-con.com/read/49058.htm
> 
> (search for "faillog" on that page)

Florian

I still have the results you 'had'.  I tried logging in, twice, with
a bad passwd.  Got the following.

Last login: Thu Jul 26 21:01:03 2007 on tty6
Linux dj 2.6.18-4-amd64 #1 SMP Fri May 4 00:37:33 UTC 2007 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
1 failure since last login.  BUT I failed twice!
Last was Thu 26 Jul 2007 09:06:23 PM EDT on tty5.

I seems to be coming from something after the motd but before the .bash_profile 
and .bashrc.  Running etch on a new system and just noticed I had not enabled
the boot log, so can't check that right now.  Sorry.

Wayne

-- 
There were computers in Biblical times. Eve had an Apple.
___


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

output from nmap

[PETER EASTHOPE]

Folk,

I can use a little help to understand the following output 
from nmap.  

As far as I can discern, IOD = Initial Object Descriptor
and EID = Endpoint Identifier.  So does this show that 
the UDP packet is getting past IOD #1?  What about 
IOD #2? 

What are EID 8, EID 18 & etc.? 

Thanks, ... Peter E.

newton:~# nmap -sU -p1194 --packet-trace peasthope.yi.org

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-07-25 08:18 PDT
SENT (5.1360s) ICMP 137.82.26.91 > 139.142.97.80 Echo request (type=8/code=0) 
ttl=59 id=24449 iplen=28
SENT (5.1360s) TCP 137.82.26.91:43568 > 139.142.97.80:80 A ttl=43 id=18482 
iplen=40 seq=4225371038 win=4096 ack=324668318
RCVD (5.1380s) TCP 139.142.97.80:80 > 137.82.26.91:43568 RA ttl=255 id=54305 
iplen=40 seq=324668318 win=4096 ack=4225371038
NSOCK (5.2490s) UDP connection requested to 137.82.1.1:53 (IOD #1) EID 8
NSOCK (5.2490s) Read request from IOD #1 [137.82.1.1:53] (timeout: -1ms) EID 18
NSOCK (5.2500s) UDP connection requested to 137.82.26.240:53 (IOD #2) EID 24
NSOCK (5.2500s) Read request from IOD #2 [137.82.26.240:53] (timeout: -1ms) EID 
34
NSOCK (5.2500s) Write request for 44 bytes to IOD #1 EID 43 [137.82.1.1:53]: 
.80.97.142.139.in-addr.arpa.
NSOCK (5.2510s) nsock_loop() started (timeout=500ms). 5 events pending
NSOCK (5.2520s) Callback: CONNECT SUCCESS for EID 24 [137.82.26.240:53]
NSOCK (5.2520s) Callback: CONNECT SUCCESS for EID 8 [137.82.1.1:53]
NSOCK (5.2520s) Callback: WRITE SUCCESS for EID 43 [137.82.1.1:53]
NSOCK (5.7540s) nsock_loop() started (timeout=500ms). 2 events pending
NSOCK (6.2540s) nsock_loop() started (timeout=500ms). 2 events pending
NSOCK (6.7540s) nsock_loop() started (timeout=500ms). 2 events pending
NSOCK (7.2540s) nsock_loop() started (timeout=495ms). 2 events pending
NSOCK (7.7500s) Write request for 44 bytes to IOD #1 EID 51 [137.82.1.1:53]: 
.80.97.142.139.in-addr.arpa.
NSOCK (7.7510s) nsock_loop() started (timeout=500ms). 3 events pending
NSOCK (7.7510s) Callback: WRITE SUCCESS for EID 51 [137.82.1.1:53]
NSOCK (7.8210s) Callback: READ SUCCESS for EID 18 [137.82.1.1:53] (123 bytes)
NSOCK (7.8210s) Read request from IOD #1 [137.82.1.1:53] (timeout: -1ms) EID 58
SENT (7.8390s) UDP 137.82.26.91:43548 > 139.142.97.80:1194 ttl=59 id=39917 
iplen=28
SENT (7.9440s) UDP 137.82.26.91:43549 > 139.142.97.80:1194 ttl=42 id=61356 
iplen=28
Interesting ports on 139.142.97.80:
PORT STATE SERVICE
1194/udp open|filtered unknown

Nmap finished: 1 IP address (1 host up) scanned in 8.165 seconds
newton:~# 



 http://carnot.pathology.ubc.ca/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Stability issues

[Douglas Allan Tutty]

On Thu, Jul 26, 2007 at 08:48:40PM -0400, Mike Robinson wrote:
> >Mike Robinson wrote:
> >>I'm almost to the point of blowing the system away and installing
> >>Etch.  Anyone with insight would be appreciated.
> >
> >Well, I've decided to throw in the towel and install Etch.  I think
> >I'd like to boot with an Etch install CD, keep my partitions, but
> >blow away the Debian Testing installation with Etch.  I have one
> >large partition with all of the data I need to save; the rest can go
> >away.  I've never done anything like this before, so any
> >warnings/advice is welcome.
> 
> Okay, dumb question.  It's been a while and I want to get it right.  I
> plan on downloading the minimal install CD and do a network install.
> My processor is an Athlon 64 3200+, but I want the 32-bit distribution
> with the 'k7' kernel.  Which install image to I burn?  I *think* it's
> the i386 image, and hopefully it'll let me choose the kernel
> architecture during the install.  Is this correct?
> 

Yes, you want the i386 netinst.iso.  The installer will present you with
two sets of kernel choices.  One is an actual kernel version the other
is a kernel meta-package that depends on the most recent version.
Other than that, I don't know if it will give you the whole list.  

I'm on dialup and I just do a base install (don't have it look to the
net for anything) to get a working system fast.  Then I run aptitude and
get the packages that I want.  You could do this too since the -486
kernel will run on the athlon, then update to your kernel-of-choice.

Just curious: why not amd64?  I'm running it on my Athlon64 3800+.  The
_only_ thing I need 32-bit for is adobe flashplayer, for which I run a
chroot for the browser.  That problem is fixed in Lenny/Sid but I didn't
want to go that route.  After having done it, setting up the chroot was
rather simple and schroot makes running it a breeze.

Good luck with the install.

Doug.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

adduser

[Oleg Verych]

* Bob Proulx
>
> Oleg Verych wrote:
>> I'm just a user, but developers seem to have some problems in the
>> past: #208848.
>
> But Bug#208848 says that cron needed a dependency upon adduser, which
> it now has because of that bug.  Reading that bug this was
> specifically for build daemons with a minimum system without adduser
> otherwise installed.  I don't see anything about adduser misbehaving.
> That bug in particular was filed against cron not adduser.

* Bob Proulx
>
>> As i said, i will try to do a simple solution. If i will fail, so be it.
>
> The original poster Rick Spillane seemed to be having trouble with
> /etc/group becoming corrupted.  Are you having similar problems?
>
> What are you trying to do?
>

Getting rid of adduser. Misbehaving is one thing, bloated perl code is
another (see below).

>> One thing i can't see so far, why exim4 allocates dynamic UID. E.g. in
>> situation, when i will have same "/etc/", "/var/spool/exim4" but
>> different (re)installation sequence, UID may change, adding unneeded
>> troubles.
>
> What trouble does it cause you when an installation on different
> systems in a different order or on the same system after purging and
> reinstalling system packages in a different order uses different
> system ids?

Ids may change and i will end up with /var/spool/exim4 owned by
different user in case /etc/passwd is new.

> There are a few globally reserved ids.  But all of those must be
> between 2 and 99 because traditionally other ids started at uid 100.
> Additionally room must be left for the local admin to create system
> ids.  All globally allocated ids for all of Debian must fit between
> 2-99 and are coordinated through the base-passwd maintainer.

If i have /etc/passwd set up, i don't want to install adduser. If there
will be setup option or prompt: "Do you want to add Debian-exim4 (with
random UID)?" I want to say no. I don't want global ID. I want not
random one.

> Most systems, not just Debian, use dynamically assigned ids at package
> installation time.  This is a very common practice.  It is sometimes
> inconvenient but rarely causes serious enough problems to cause a move
> to globally allocated ids.
>
>> [EMAIL PROTECTED]:$ du -hs adduser deluser 
>> ../share/perl5/Debian/AdduserCommon.pm
>> 32K adduser
>> 16K deluser
>> 8.0K../share/perl5/Debian/AdduserCommon.pm
>> [EMAIL PROTECTED]:$
>> 
>> 56K just for random UID/GID or similar functionality is too much (IMHO,
>> of course). Also it pulls "passwd" anyway.
>
> Hmm...  We have completely different ideas of scale.  That seems
> pretty small to me.  I ran perl-source-stats (from perl monks) on
> those perl scripts and this is what it turned up.
>
>   /usr/sbin/adduser
>   Found 745 LOC
>   Found 142 comment lines
>
>   /usr/sbin/deluser
>   Found 348 LOC
>   Found 63 comment lines
>
>   /usr/share/perl5/Debian/AdduserCommon.pm
>   Found 166 LOC
>   Found 31 comment lines

I have not yet published aggressive cleaner of disk space, and it reports
48K of pure perl, i.e. no comments and redundant whitespace. And i care
about every additional 4097 bytes, actually (for various reasons).

> That is only 1053 lines of perl code in total across all three of
> those files.  I consider that quite reasonable.  I am against the
> practice of "perl golf" where the smallest number of strokes wins.
> I much prefer verbose over terse if it improves readability.
>

For such functionality it's too much. So we just disagree :)



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Stability issues

[Mike Robinson]

Mike Robinson wrote:
I'm almost to the point of blowing the system away and installing 
Etch.  Anyone with insight would be appreciated.


Well, I've decided to throw in the towel and install Etch.  I think I'd 
like to boot with an Etch install CD, keep my partitions, but blow away 
the Debian Testing installation with Etch.  I have one large partition 
with all of the data I need to save; the rest can go away.  I've never 
done anything like this before, so any warnings/advice is welcome.


Okay, dumb question.  It's been a while and I want to get it right.  I plan on
downloading the minimal install CD and do a network install.  My processor is an
Athlon 64 3200+, but I want the 32-bit distribution with the 'k7' kernel.  Which
install image to I burn?  I *think* it's the i386 image, and hopefully it'll let
me choose the kernel architecture during the install.  Is this correct?

-Mike



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Weird partition arrangements and broken GRUB

[Hamza Saglam]

Hi,

After reading dozens of GRUB tutorials for a good few hours and not
getting anywhere, I've decided to post on this mailing list regarding
my problem. If it has been covered before please pardon me, I really
can't see it :(

Now before I start, I'd like to point out that we are both debian
users both due to the nature of our work, we have to have a windows
installation on our machines. Sad but true :(

A friend of mine brought in his laptop after he said he couldn't get
'windows booting', and when I had a look at the partition table using
gparted, I was presented with the following monstrosity:

screenshot:
http://***image.***bayimg.***com/oaeikaabk.jpg
(please get rid of the 9 stars, the mailing list wouldn't accept my
message without these)


(for the text based readers), it looks a bit like:
 /dev/sda1fat32(boot)
 /dev/sda2extended(lba)
/dev/sda5ntfs(boot)
/dev/sda6linux-swap
 /dev/sda3ext3

The first fat32 partition is the recovery files that came with the
laptop, the rest is a bit of mess really :)

Relevant bits from /boot/grub/menu.lst:

titleDebian GNU/Linux, kernel 2.6.18-4-686
root(hd0,2)
kernel/boot/vmlinuz-2.6.18-4-686 root=/dev/sda3 ro
initrd/boot/initrd.img- 2.6.18-4-686
savedefault

titleDebian GNU/Linux, kernel 2.6.18-4-686 (single-user mode)
root(hd0,2)
kernel/boot/vmlinuz-2.6.18-4-686 root=/dev/sda3 ro single
initrd/boot/initrd.img- 2.6.18-4-686
savedefault

titleMicrosoft Windows XP
root(hd0,3)
savedefault
makeactive
chainloader+1

title   Acer eRecovery Management
  root(hd0,0)
savedefault
makeactive
chainloader +1


I've tried all the possible combinations for the root directive of the
Windows section, but it doesn't want to load windows.

Is there any way I can address the ntfs partition within that extended
partition, or do I need to modify the structure. (I'd very much prefer
not changing the structure, even though it is quite messy)


 I am stuck so any help would be much appreciated.

Many thanks.
Hamza


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Stability issues

[Douglas Allan Tutty]

On Thu, Jul 26, 2007 at 04:07:59PM -0700, Andrew Sackville-West wrote:

> if you are only installing the tasksel selections and not adding
> additional software, then there is no reason to do this. I just know
> that if I had to reinstall my current machine, I'd want to pull a list
> of what was installed as I've got a couple years of built-up stuff on
> here and wouldn't want to hassle with trying to remember it all. 

I use aptitude which keeps track of packages that I requested for
install vs those installed to meet dependancies.  In my backups, I keep
both the dpkg --get-selections but also aptitude search '~i!~M' which
gives me the names of packages that are installed (~i) that are not (!)
automatically installed (~M).

Doug.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Where is Lame in Sarge?

[Bob Proulx]

Hal Vaughan wrote:
> I know there's an issue with MySQL and permissions with an easy work
> around, but other than that, I want to have time to check out known
> issues before I upgrade a server.

Wise plan.  In fact setting up a Sarge machine as a victim for upgrade
testing to Etch is a good idea.

For servers the upgrade for me has gone quite easily.  For desktops
the biggest problem has been the name changes for many web browser
plugins and also the movement of GNU FDL licensed documentation into
non-free.  This means I have had to add non-free to my sources where
this was not previously needed and also needed to specifically install
many of the now non-free documentation packages that were split out.

> On the other hand, what's the expected release date for Lenny going 
> Stable?  With Etch going Stable in April, I figure I still have another 
> 8 - 9 months before Lenny is stable.  :-)

You are an optimist thinking 8-9 months!  I think you have plenty of
time well past that.  Perhaps I should have said before security
upgrades for Sarge are discontinued.  That will almost certainly
happen before Lenny releases.  :-)

Bob


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Sarge: Lost # of failed logins

[Bob Proulx]

Florian Kulzer wrote:
> I have been using Debian for about 5 years now. As far as I remember, it
> always had the "n failure(s) since last login" message (if n was greater
> than zero).

I have never seen that message.

> I never had to do anything to set it up, therefore I
> unfortunately don't know exactly how it works. My best guess is that it
> involves some PAM modules which parse /var/log/faillog and/or use the
> "faillog" command. Maybe this link helps to track it down:

I always have a ~/.hushlogin.  When I remove it I still never see
failures.  I see this instead:

  Last login: Thu Jul 26 17:32:14 2007 from dementia.proulx.com

If you create a .hushlogin file for you does your login failure
message at login go away?

  touch ~/.hushlogin

The sshd uses the presence of .hushlogin to silence the banner.  In
the sshd man page:

  1.  If the login is on a tty, and no command has been specified,
  prints last login time and /etc/motd (unless prevented in the
  configuration file or by $HOME/.hushlogin; see the FILES section).

But I never see anything about failures, just the motd and the last
login time.  So I don't think this is it.

I am very curious as to what outputs for you the faillog!

Bob


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Stability issues

[Andrew Sackville-West]

On Thu, Jul 26, 2007 at 07:28:07PM -0400, Mike Robinson wrote:
> Andrew Sackville-West wrote:
>> On Thu, Jul 26, 2007 at 06:04:58PM -0400, Mike Robinson wrote:
>>> Andrew Sackville-West wrote:
 On Thu, Jul 26, 2007 at 05:26:36PM -0400, Mike Robinson wrote:
> Mike Robinson wrote:
> Well, I've decided to throw in the towel and install Etch. 
...
 I've lost track of what brought you to this stage, but if you're going
 to do it, this may be helpful:
 dpkg --get-selections >
 /path/to/partition/for/keeping/stuff/selections
 and then after the basic install do
 dpkg --set-selections < /path/to/place/you/put/selections
 and then do apt-get dselect-upgrade
 to bring in the selection of packages you had before.

...
>
> Ah, so your procedure would produce a list of packages, but not versions.  
> So, after I install Etch, I would then get the Etch version of thoses 
> packages...not the Lenny version.  Is this correct?  If so, then this 
> sounds like something I would like to do.
>

yes, except, if the packages names have changed, you might have
problems. I don't know what dpkg might do if you feed it bad names... 

if that ends up being a problem, you'd have to edit the list. 

hmmm... 

I just did 

echo foobar install | dpkg --set-selections 

and it seemed to fail silently. That is, it produced no output but
didn't add the package foobar to the selections that came out in a
subsequent dpkg --get-selections. I'm sure the failure to put foobar
in the list is the right behavior. I'm not sure if failing silently is
the right behavior. 

ymmv.


A


signature.asc
Description: Digital signature

Re: resolv.conf getting overwritten [SOLVED]

[Harvey Kelly]

No trouble since installing resolvconf.  Surely it
should be installed be default...

--- Harvey Kelly <[EMAIL PROTECTED]> wrote:

> Hi Steven,
> 
> No I didn't(!), so I've apt-gotten it and I'll see
> if
> that works...
> 
> --- Steven <[EMAIL PROTECTED]> wrote:
> 
> > On Thu, 26 Jul 2007 20:07:05 +0100, Harvey Kelly
> > wrote:
> > 
> > > No matter what, /etc/resolv.conf will get
> > overwritten with
> > 
> > Do you have the package 'resolvconf' installed? 
> > It's required by some 
> > other common network packages.  I had to read the
> > docs/README a few times 
> > when it first showed up in Sid because it drove me
> > nuts.
> > 
> > 
> > -- 
> > To UNSUBSCRIBE, email to
> > [EMAIL PROTECTED] 
> > with a subject of "unsubscribe". Trouble? Contact
> > [EMAIL PROTECTED]
> > 
> > 
> 
> 
> 
>  
>
___
> Yahoo! Answers - Got a question? Someone out there
> knows the answer. Try it
> now.
> http://uk.answers.yahoo.com/ 
> 
> 
> -- 
> To UNSUBSCRIBE, email to
> [EMAIL PROTECTED] 
> with a subject of "unsubscribe". Trouble? Contact
> [EMAIL PROTECTED]
> 
> 



  ___ 
Yahoo! Mail is the world's favourite email. Don't settle for less, sign up for
your free account today 
http://uk.rd.yahoo.com/evt=44106/*http://uk.docs.yahoo.com/mail/winter07.html 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: adduser kills sound pt. 3

[Bob Proulx]

Oleg Verych wrote:
> Bob Proulx wrote:
> I'm just a user, but developers seem to have some problems in the
> past: #208848.

But Bug#208848 says that cron needed a dependency upon adduser, which
it now has because of that bug.  Reading that bug this was
specifically for build daemons with a minimum system without adduser
otherwise installed.  I don't see anything about adduser misbehaving.
That bug in particular was filed against cron not adduser.

> One thing i can't see so far, why exim4 allocates dynamic UID. E.g. in
> situation, when i will have same "/etc/", "/var/spool/exim4" but
> different (re)installation sequence, UID may change, adding unneeded
> troubles.

What trouble does it cause you when an installation on different
systems in a different order or on the same system after purging and
reinstalling system packages in a different order uses different
system ids?

There are a few globally reserved ids.  But all of those must be
between 2 and 99 because traditionally other ids started at uid 100.
Additionally room must be left for the local admin to create system
ids.  All globally allocated ids for all of Debian must fit between
2-99 and are coordinated through the base-passwd maintainer.

Most systems, not just Debian, use dynamically assigned ids at package
installation time.  This is a very common practice.  It is sometimes
inconvenient but rarely causes serious enough problems to cause a move
to globally allocated ids.

> [EMAIL PROTECTED]:$ du -hs adduser deluser 
> ../share/perl5/Debian/AdduserCommon.pm
> 32K adduser
> 16K deluser
> 8.0K../share/perl5/Debian/AdduserCommon.pm
> [EMAIL PROTECTED]:$
> 
> 56K just for random UID/GID or similar functionality is too much (IMHO,
> of course). Also it pulls "passwd" anyway.

Hmm...  We have completely different ideas of scale.  That seems
pretty small to me.  I ran perl-source-stats (from perl monks) on
those perl scripts and this is what it turned up.

  /usr/sbin/adduser
  Found 745 LOC
  Found 142 comment lines

  /usr/sbin/deluser
  Found 348 LOC
  Found 63 comment lines

  /usr/share/perl5/Debian/AdduserCommon.pm
  Found 166 LOC
  Found 31 comment lines

That is only 1053 lines of perl code in total across all three of
those files.  I consider that quite reasonable.  I am against the
practice of "perl golf" where the smallest number of strokes wins.
I much prefer verbose over terse if it improves readability.

I have not looked at those scripts previously and did not spend time
on them now so can't vote yes or no on their overall good or bad
style and are just commenting on them statistically.

> > If there is a problem with adduser then it should be reported so that
> > it can be addressed.  The BTS does not show anything too scary.  It is
> > in heavy use by thousands of users.  I think that specific examples of
> > problems need to be shown before we can start thinking that there is a
> > problem with adduser.  (Although I am sure that the code could be
> > improved.  That is almost always true of any project.)
> 
> So, if exim4 expressly wants dynamic ID, i will be on my own.

I am certainly not the one the convince.  The documented proceedure is
to coordinate with the base-passwd maintainer.  But I would expect
that you would need a pretty strong reason.  Among other things none
of the other MTA packages (e.g. postfix, sendmail) have one and so
would need to say why exim4 is requiring a global id assignment when
the others don't.

> As for sources in perl, i just can't understand why it get so big for
> some little benefit.
> 
> our $configfile = undef;
> our $found_group_opt = undef;
> ...
> my $existing_user = undef;
> my $existing_group = undef;
> ...

That in partcular looks like a typical process so that 'perl -w' and
'use strict;' are happy and do not produce usage warnings.

> As i said, i will try to do a simple solution. If i will fail, so be it.

The original poster Rick Spillane seemed to be having trouble with
/etc/group becoming corrupted.  Are you having similar problems?

What are you trying to do?

Bob


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Stability issues

[Mike Robinson]

Andrew Sackville-West wrote:

On Thu, Jul 26, 2007 at 06:04:58PM -0400, Mike Robinson wrote:

Andrew Sackville-West wrote:

On Thu, Jul 26, 2007 at 05:26:36PM -0400, Mike Robinson wrote:

Mike Robinson wrote:
Well, I've decided to throw in the towel and install Etch.  I think I'd 
like to boot with an Etch install CD, keep my partitions, but blow away 
the Debian Testing installation with Etch.  I have one large partition 
with all of the data I need to save; the rest can go away.  I've never 
done anything like this before, so any warnings/advice is welcome.

I've lost track of what brought you to this stage, but if you're going
to do it, this may be helpful:
dpkg --get-selections >
/path/to/partition/for/keeping/stuff/selections
and then after the basic install do
dpkg --set-selections < /path/to/place/you/put/selections
and then do apt-get dselect-upgrade
to bring in the selection of packages you had before.
note though that if package names changed between etch and lenny, then
there could be problems... you may have to manually edit the list.
If I simply want to install Etch (no Lenny packages) would I still have to 
do
this?  None of the data that I'm saving is Lenny specific.  My intent is to 
stick

with the stable Debian loads from now on.


well you don't have to do it at all. its just an easy way to recreate
your installed set of packages... instead of going through whatever
method you use and selecting everything you want to install. 


if you are only installing the tasksel selections and not adding
additional software, then there is no reason to do this. I just know
that if I had to reinstall my current machine, I'd want to pull a list
of what was installed as I've got a couple years of built-up stuff on
here and wouldn't want to hassle with trying to remember it all. 


A


Ah, so your procedure would produce a list of packages, but not versions.  So, 
after I install Etch, I would then get the Etch version of thoses packages...not 
the Lenny version.  Is this correct?  If so, then this sounds like something I 
would like to do.


-Mike


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Cron and mail

[Sergio Belkin]

--- El Jue 26 Jul 2007, Andrew Sackville-West encontró un teclado y tipeó lo 
siguiente: 
> AS: On Thu, Jul 26, 2007 at 08:33:30AM -0300, Sergio Belkin wrote:
> AS: > --- El Jue 26 Jul 2007, Marc encontró un teclado y tipeó lo
> siguiente: AS: > > Ma: Hmmm.. one thing might be that the variable is
> called "MAILTO" and not AS: > > Ma: "MAIL"?
> AS: > > Ma: You can try with that, but in general, as the man page says:
> AS: > > Ma: "When executing commands, any output is  mailed  to  the  owner
>  of AS: > > Ma: the  crontab ..."
> AS: > > Ma:
> AS: > > Ma: Sergio Belkin wrote:
> AS: > > Ma: > Hi
> AS: > > Ma: > Non-root users are not getting information mail about
> scheduled AS: > > tasks. Ma: > I've included the line MAIL=joendoe in
> jondoe user. Task are AS: > > performed Ma: > but users are not notified.
> AS: > > Ma: >
> AS: > > Ma: > I am using Etch and exim4. What's wrong with this?
> AS: > > Ma:
> AS: > > Ma:
> AS: >
> AS: > Thanks, "MAIL" was a typo, but even if I issue MAILTO=jondoe in
> jondoe user AS: > crontab file, it doesn't work either...
> AS:
> AS: does mail work on the system? can you mail from the command line? does
> AS: the cron job produce any output to mail?
> AS:
> AS: A
> AS:

It seems that maildir (as I had configured it) won't work with cron (am I 
right?) I've changed to mbox, and now it works...

-- 
Sergio Belkin
Soluciones Informáticas Open Source
Community Site http://www.openkairos.com
Blog http://sebelk.blogspot.com

Re: Stability issues

[Andrew Sackville-West]

On Thu, Jul 26, 2007 at 06:04:58PM -0400, Mike Robinson wrote:
> Andrew Sackville-West wrote:
>> On Thu, Jul 26, 2007 at 05:26:36PM -0400, Mike Robinson wrote:
>>> Mike Robinson wrote:
>>> Well, I've decided to throw in the towel and install Etch.  I think I'd 
>>> like to boot with an Etch install CD, keep my partitions, but blow away 
>>> the Debian Testing installation with Etch.  I have one large partition 
>>> with all of the data I need to save; the rest can go away.  I've never 
>>> done anything like this before, so any warnings/advice is welcome.
>> I've lost track of what brought you to this stage, but if you're going
>> to do it, this may be helpful:
>> dpkg --get-selections >
>> /path/to/partition/for/keeping/stuff/selections
>> and then after the basic install do
>> dpkg --set-selections < /path/to/place/you/put/selections
>> and then do apt-get dselect-upgrade
>> to bring in the selection of packages you had before.
>> note though that if package names changed between etch and lenny, then
>> there could be problems... you may have to manually edit the list.
>
> If I simply want to install Etch (no Lenny packages) would I still have to 
> do
> this?  None of the data that I'm saving is Lenny specific.  My intent is to 
> stick
> with the stable Debian loads from now on.

well you don't have to do it at all. its just an easy way to recreate
your installed set of packages... instead of going through whatever
method you use and selecting everything you want to install. 

if you are only installing the tasksel selections and not adding
additional software, then there is no reason to do this. I just know
that if I had to reinstall my current machine, I'd want to pull a list
of what was installed as I've got a couple years of built-up stuff on
here and wouldn't want to hassle with trying to remember it all. 

A


signature.asc
Description: Digital signature

Re: Where is Lame in Sarge?

[Hal Vaughan]

Uh, just ignore that other response.  I forgot which e-mail was still on 
the screen when I hit "reply."

It's just one of those days...

Hal


On Thursday 26 July 2007, Hal Vaughan wrote:
> Thanks, everyone, for the suggestions and offers.  I've contacted
> someone who will be swapping routers with me tomorrow.  I had several
> other responses, but I didn't want to say anything until I had
> confirmed we could swap.
>
> Thanks again!
>
> Hal
>
> On Thursday 26 July 2007, Hal Vaughan wrote:
> > I have a server running Sarge.  I tried to find lame and got this:
> >
> > [EMAIL PROTECTED]:root]$ aptitude show lame
> > Package: lame
> > State: not a real package
> >
> > This was after trying to install it just by the name "lame."  Then
> > I did this:
> >
> > [EMAIL PROTECTED]:root]$ aptitude search lame
> > p  flamethrower - Multicast file distribution utility
> > c  glame - versatile audio processor
> > v  lame -
> > p  systemimager-server-flamethrowerd - SystemImager boot binaries
> > for i386 client nodes
> > p   toolame - MPEG-1 layer 2 audio encoder
> >
> > (Extra spaces removed.)
> >
> > Neither toolame or glame provide lame itself.  It's LPGL, does that
> > create a conflict with Debian's social contract?
> >
> > Do I have to go out of the repositories to add lame?
> >
> > Thanks!
> >
> > Hal



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: DHCPD giving IP to wrong machine

[Clarence W. Robison]

On 26 Jul 2007 at 16:05, Clarence W. Robison wrote:

> I have an entry in my dhcp3 dhcpd.conf which says that host xyz with
> certain MAC address should receive a fixed ip address. The server does
> not respect that entry and gives the IP address to another host with a
> different MAC address. I don't quite understand why it, dhcpd, should do
> that. Is normal behavior?
> 

OPPS, the message left before I could paste snippets of the conf file.
 dhcpd.conf -- # #
Global Options pid-file-name "/var/run/dhcpd.pid"; lease-file-name
"/var/lib/dhcp3/dhcpd.leases"; log-facility local1; ignore client-updates;
ddns-update-style none; option domain-name-servers  XXX.XXX.XXX.3,
XXX.XXX.XXX.223; default-lease-time  3600; max-lease-time 
14400; authoritative; subnet XXX.XXX.XXX.0 netmask
255.255.255.192 { # Default Options
  option routersXXX.XXX.XXX.1;
  option subnet-mask255.255.255.192;
  option domain-name".XX.XXX";  
  option time-offset-25200; # Mountain Standard Time
  option ntp-serversXXX.XXX.XXX.3, XXX.XXX.XXX.58;

  range dynamic-bootp   XXX.XXX.XXX.22 XXX.XXX.XXX.60;

  host xxx {  
hardware ethernet 00:13:20:2d:31:d1;
fixed-address XXX.XXX.XXX.22;
 }

  host yyy {  
hardware ethernet 00:03:47:f4:6b:8e;
fixed-address XXX.XXX.XXX.23;
  }

... snipped out 27 fixed-address blocks ..

  host zzz {
hardware ethernet 00:19:d1:05:ce:fd;
fixed-address XXX.XXX.XXX.50;
  }
  }

 endof conf ---
The ip address which are not "fixed" in the conf file do not appear to be
all in use when this happens.

Any advice would be appreciated.

TIA
Clarence


-- 
Clarence W. Robison, P.E.
[EMAIL PROTECTED]
208-423-6610

--- End of forwarded message - 
Clarence W. Robison, P.E.
[EMAIL PROTECTED]
208-423-6610



WPM$1666.PM$
Description: Mail message body

Re: Where is Lame in Sarge?

[Hal Vaughan]

On Thursday 26 July 2007, Bob Proulx wrote:
> Hal Vaughan wrote:
> > Manon Metten wrote:
> > > Hal Vaughan wrote:
> > > > Neither toolame or glame provide lame itself.  It's LPGL, does
> > > > that create a conflict with Debian's social contract?
>
> The mp3 encoder is patented outside of the context of the software
> license for that particular program.
>
>   http://en.wikipedia.org/wiki/MP3#Licensing_and_patent_issues
>
> > > Before you can install lame,  you have to add this line to your
> > > /etc/apt/sources.list:
> >
> > Is this fairly new?  I had never had a problem before, but I may
> > not have been trying to do anything with multimedia on Sarge
> > before.
>
> This has been true thoughout the history of Sarge.  And Sarge
> released June 2005.  It has subsequently been replaced with Etch
> released April 2007.  You really should consider upgrading to Etch at
> least before Lenny releases.  :-)

I will be upgrading to Etch, but I've been so busy with the aftermath of 
a death in the family a few months before Etch went stable and a heavy 
programming load for the past 2 months, that I haven't even had time to 
check up on what kind of "gotchas" I need to be aware of.  I know 
there's an issue with MySQL and permissions with an easy work around, 
but other than that, I want to have time to check out known issues 
before I upgrade a server.

On the other hand, what's the expected release date for Lenny going 
Stable?  With Etch going Stable in April, I figure I still have another 
8 - 9 months before Lenny is stable.  :-)

> That depot has been moved around to various places over the last
> few years.  It seems to be at a permanent home now at
> www.debian-multimedia.org.

They're saying for Sarge to use one of their mirrors.  I guess I can 
change that when I upgrade to Etch.

Hal


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Boinc Clients Niceness

[Gilles Mocellin]

Le Thursday 26 July 2007 08:38:17 David Baron, vous avez écrit :
> Is there any way to control the niceness of boinc_client processes?
>
> Setiathome, for example, will initially come up niced. When it restarts,
> for example a new "work unit", it comes up not nice. It's options,
> controlled from their site, include nothing to control this and it has its
> own system of assigning priorities and niceness on its start.

It seems to handle that alone.

Searching th boinc process :
 [EMAIL PROTECTED]:/donnees/programmes/BOINC$ ps -ef | grep boinc
 gilles3428  6861  0 00:02 pts/100:00:00 grep boinc
 gilles5125 1  0 Jul26 ?00:00:00 SCREEN -d -m ./boinc
 gilles5136  5125  0 Jul26 pts/000:00:00 ./boinc
 gilles6798 1  0 Jul26 ?00:00:03 kboincspy -session
 10c8e7ce7400011439138260258350060_1172733165_909240

What nice value and priority :
 [EMAIL PROTECTED]:/donnees/programmes/BOINC$ ps -o pid,cmd,nice,pri -p 5136
   PID CMD  NI PRI
  5136 ./boinc   0  24

What about the real copute processes, son of boinc :
 [EMAIL PROTECTED]:/donnees/programmes/BOINC$ ps -ef | grep 5136
 gilles3433  6861  0 00:02 pts/100:00:00 grep 5136
 gilles5136  5125  0 Jul26 pts/000:00:00 ./boinc
 gilles5219  5136 97 Jul26 pts/000:56:47 
 setiathome-5.12.i686-pc-linux-gnu

Here's setiathome nice and prio :
[EMAIL PROTECTED]:/donnees/programmes/BOINC$ ps -o pid,cmd,nice,pri -p 5219
   PID CMD  NI PRI
  5219 setiathome-5.12.i686-pc-lin  19   5

So :
1) Prio does not mean what I thought ;-)
2) Nice value for the process which handle the computation are at the maximum 
value.


signature.asc
Description: This is a digitally signed message part.

DHCPD giving IP to wrong machine

[Clarence W. Robison]

I have an entry in my dhcp3 dhcpd.conf which says that host xyz with certain 
MAC address should receive a fixed ip address. The server does not respect 
that entry and gives the IP address to another host with a different MAC 
address. I don't quite understand why it, dhcpd, should do that. Is normal 
behavior?

tia-- 
Clarence W. Robison, P.E.
[EMAIL PROTECTED]
208-423-6610


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Stability issues

[Mike Robinson]

Andrew Sackville-West wrote:

On Thu, Jul 26, 2007 at 05:26:36PM -0400, Mike Robinson wrote:

Mike Robinson wrote:
Well, I've decided to throw in the towel and install Etch.  I think I'd 
like to boot with an Etch install CD, keep my partitions, but blow away the 
Debian Testing installation with Etch.  I have one large partition with all 
of the data I need to save; the rest can go away.  I've never done anything 
like this before, so any warnings/advice is welcome.


I've lost track of what brought you to this stage, but if you're going
to do it, this may be helpful:

dpkg --get-selections >
/path/to/partition/for/keeping/stuff/selections


and then after the basic install do

dpkg --set-selections < /path/to/place/you/put/selections

and then do 


apt-get dselect-upgrade

to bring in the selection of packages you had before.

note though that if package names changed between etch and lenny, then
there could be problems... you may have to manually edit the list.


If I simply want to install Etch (no Lenny packages) would I still have to do
this?  None of the data that I'm saving is Lenny specific.  My intent is to 
stick
with the stable Debian loads from now on.

-Mike



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How to generate script with Apache and run it by root avoiding to "kill" security

[Guillermo Garron]

On 7/26/07, Michael Pobega <[EMAIL PROTECTED]> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Thu, Jul 26, 2007 at 11:18:43AM -0400, Guillermo Garron wrote:
> > Hi List,
> >
> > I am creating a PHP small program that will interact with MySQL and
> > will have the policies for the people in my office, i.e.:
> > Who can or can not access MSN messenger
> > Who can or can not access WWW
> >
> > etc. once this is stored, a shell script with the iptables rules
> > should be created, and then run.
> >
> > I do not want to run it with Apache, so I was thinking on creating a
> > CRON job that will run it as root once every n minutes, but the issue
> > i see here, is that if somebody "break" my Apache security he will be
> > able to create any script he likes and my CRON will run it, killing my
> > server security.
> >
> > any better ideas about how can I achieve my goal?
> >
> > thanks in advance.
> >
> > best regards.
> >
>
> Make a user specifically for this job that can access /sbin/iptables
> through sudo, and make the script do just that, access iptables using
> sudo and this new account.
>
> Then make sure the bash script is owned by the new accounts, and root's
> group, and chmod the script to r-xrwxr-- by doing:
>
> chmod u+rx g+rwx o+r u-w o-wx /path/to/script
>
> This *should* achieve what you are trying to do...It's a bit messy but
> in the end it will pay off, the only way I can see this being abusable
> is if someone gets access to your root account.

Thank you all for your help, I will take that into account, personally
I like the Michael's aproach, thanks.

Answering to Andrew, what I need to do is that only one person (The
administrator of this network -not a Linux guy-) have access to this
webpage using .htaccess or some other Apache security, but I want to
add more security to this, and that is why I have posted here, thanks
you all gave a good point to start.

best regards.

-- 
Guillermo Garron
"Linux IS user friendly... It's just selective about who its friends are."
(Using FC6, CentOS4.4 and Ubuntu 6.06)
http://feeds.feedburner.com/go2linux
http://www.go2linux.org


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: adduser kills sound pt. 3

[Oleg Verych]

* Bob Proulx (Thu, 26 Jul 2007 13:48:18 -0600)
>
> Oleg Verych wrote:
[--]
>> Funny, i've discovered, how bloated adduser is yesterday, while
>> developing my aggressive distro-cleaner. Now i'm thinking about
>> writing patches at least for exim4 and cron to have support for
>> ordinary useradd from passwd package.
>
> It is Policy for packages to use adduser and addgroup.  Patches to
> avoid using it would be a policy bug by definition and should be
> rejected.
>
>   http://www.debian.org/doc/debian-policy/ch-opersys.html#s9.2.2

I didn't know that. Thanks for the pointer.

[EMAIL PROTECTED]:$ id -u
19810702
[EMAIL PROTECTED]:$

Hm, it works for me, while it's more than (u16)(-1) stated in policy. 
I'm just a user, but developers seem to have some problems in the
past: #208848.

One thing i can't see so far, why exim4 allocates dynamic UID. E.g. in
situation, when i will have same "/etc/", "/var/spool/exim4" but
different (re)installation sequence, UID may change, adding unneeded
troubles.

> Bloated?  What do you mean?  If I don't include documentation because
> most people consider documentation to always be a good thing then I
> only see these files.  How is adduser bloated?
>
>   /etc/deluser.conf
>   /usr/sbin/addgroup
>   /usr/sbin/adduser
>   /usr/sbin/delgroup
>   /usr/sbin/deluser
>   /usr/share/adduser/adduser.conf
>   /usr/share/lintian/overrides/adduser
>   /usr/share/perl5/Debian/AdduserCommon.pm

[EMAIL PROTECTED]:$ du -hs adduser deluser 
../share/perl5/Debian/AdduserCommon.pm
32K adduser
16K deluser
8.0K../share/perl5/Debian/AdduserCommon.pm
[EMAIL PROTECTED]:$

56K just for random UID/GID or similar functionality is too much (IMHO,
of course). Also it pulls "passwd" anyway.

> If there is a problem with adduser then it should be reported so that
> it can be addressed.  The BTS does not show anything too scary.  It is
> in heavy use by thousands of users.  I think that specific examples of
> problems need to be shown before we can start thinking that there is a
> problem with adduser.  (Although I am sure that the code could be
> improved.  That is almost always true of any project.)

So, if exim4 expressly wants dynamic ID, i will be on my own.
As for sources in perl, i just can't understand why it get so big for
some little benefit.

#v+
our $configfile = undef;
our $found_group_opt = undef;
our $found_sys_opt = undef;
our $ingroup_name = undef;
our $new_firstuid = undef;
our $new_gecos = undef;
our $new_gid = undef;
our $new_lastuid = undef;
our $new_uid = undef;
our $no_create_home = undef;
our $special_home = undef;
our $special_shell = undef;
our $add_extra_groups = 0;

# Global variables we need later
my $existing_user = undef;
my $existing_group = undef;
my $new_name = undef;
my $make_group_also = 0;
my $home_dir = undef;
my $undohome = undef;
my $undouser = undef;
my $undogroup = undef;
my $shell = undef;
my $first_uid = undef;
my $last_uid = undef;
my $dir_mode = undef;
my $perm = undef;
#v-

As i said, i will try to do a simple solution. If i will fail, so be it.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: AIC-9410 problems during installation

[Todd Troxell]

On 7/19/07, Wetzelaer, Volker <[EMAIL PROTECTED]> wrote:


 Hi,

I have a problem installing debian on my system.
Seems like there is no driver for the Adaptec AIC-9410 in Etch but in Sid
there is one.
But even with the correct driver in Sid the installer does not find any
disk-drive.
I tried the SCSI-Controller in RAID and in normal mode, makes no changes.

(HDD´s are 2x217GB Seagate)

Does enaybody know this problem and can help me ?


Hi Volker,

Did you have any luck getting this SAS card wokring yet?  I am in the same
position.

-Todd

Re: Getting wake-on-lan to work in Etch

[Gilles Mocellin]

Le Thursday 26 July 2007 14:14:57 Raj Kiran Grandhi, vous avez écrit :
> On 7/26/07, Gilles Mocellin <[EMAIL PROTECTED]> wrote:
> > Le Wednesday 25 July 2007 01:46:03 Raj Kiran Grandhi, vous avez écrit:
> > > Hi,
> > >
> > > I am trying to get "wake on lan" to work in Etch. I have a motherboard
> > > with an onboard NIC which supports wake-on-lan. I have enabled
> > > wake-on-lan in the bios. When I poweroff the computer during POST, I am
> > > able to remotely wake it, but if I shut it down from Etch, power to the
> > > NIC is also being turned off and wake-on-lan does not work. I have
> > > edited '/etc/init.d/halt' and removed the '-i' option from the 'halt'
> > > command, but the NIC is still being powered down.
> >
> > Try to add this line in your /etc/network/interfaces :
> >   post-down ethtool -s eth0 wol g
> >
> > It tells your nic to prepare to be woken up, so perhaps it will not power
> > off.
> >
> > Install ethtool if you don't have it.
>
> ethtool did the trick! Thanks a lot. Only, I had to add that line as a
> script in the /etc/network/if-up.d directory.

It's OK, I just thought it was more suitable to set wol for the card on 
network stop, not start.
But I was perhaps wrong about the post-down, perhaps a bit too late.
If it work at start, let's go. Personnaly, I prefer to add a "up" line in 
my /etc/network/interfaces instead of create a script 
in /etc/network/if-up.d. That Way I know wich interface is up.



signature.asc
Description: This is a digitally signed message part.

Re: Stability issues

[Andrew Sackville-West]

On Thu, Jul 26, 2007 at 05:26:36PM -0400, Mike Robinson wrote:
> Mike Robinson wrote:
>> I'm almost to the point of blowing the system away and installing Etch.  
>> Anyone with insight would be appreciated.
>
> Well, I've decided to throw in the towel and install Etch.  I think I'd 
> like to boot with an Etch install CD, keep my partitions, but blow away the 
> Debian Testing installation with Etch.  I have one large partition with all 
> of the data I need to save; the rest can go away.  I've never done anything 
> like this before, so any warnings/advice is welcome.

I've lost track of what brought you to this stage, but if you're going
to do it, this may be helpful:

dpkg --get-selections >
/path/to/partition/for/keeping/stuff/selections


and then after the basic install do

dpkg --set-selections < /path/to/place/you/put/selections

and then do 

apt-get dselect-upgrade

to bring in the selection of packages you had before.

note though that if package names changed between etch and lenny, then
there could be problems... you may have to manually edit the list.

A


signature.asc
Description: Digital signature

Re: why do iceweasel et al have more frequent security issues?

[Andrew Sackville-West]

On Thu, Jul 26, 2007 at 10:52:07PM +0200, Erik Persson wrote:

> Anyhow, the basic fact that there is fewer security alerts in Konq makes 
> this a more secure browser, whether this maybe is because only of a smaller 
> user base or not.

I'm sorry, and i hate to argue with people, but this last statement
just doesn't fly with me. security alerts are the result of someone
finding a security problem and reporting it. The fact that fewer
security alerts exist does _NOT_ mean that konq is more secure. It
only means it has fewer reported security problems. Now it _could_ be
that this is because there actually _are_ fewer security problems, but
it could _also_ be because no one has _found_ or reported
problems. There's an important distinction there.  

WARNING! CAR ANALOGY!

if we have two cars parked side-by-side and mine is stolen (I'll
take the fall for this analogy ;) and yours is not, does that mean
that your car is more secure? no. it means someone looked for a way
into my car and exploited it. maybe they never even looked at your
car. maybe they don't like your car. There are any number of reasons
why your car was not stolen. it could be that they looked at your car
and decided it was too hard to steal because it had an alarm, in which
case it would be more secure, but that isn't necessarily why it wasn't
stolen. 

END CAR ANALOGY!

a more pertinent fake example.

programmer X finds a security hole in konq that when visiting a
carefully crafted website, allows remote execution of code, privilege
escalation and ultimately results in a box getting
rooted. okay. that's obviously a security problem. but programmer X
doesn't report this problem and no security alert is issued.  

programmer Y finds a security hole in mozilla that allows an already
installed plugin at a certain version to escalate its own privileges and as a 
result
download and save a piece of code to disk with the name
"execute_me". Now if the user happens to see that file and thinks,
hmmm... I wonder what that is and executes it (after chmod +x) it does
a rm -rf on their home. programmer y reports this security hole and a
security alert is made detailing the problem. 

now, clearly, the konq vulnerability is *much* more of a security risk
than the mozilla error, right? the mozilla one requires the plugin be
already installed and the right version and then requires the user to
actually chmod and execute the thing. the konq one just requires the
user to visit a carefully crafted website. 

but based on what you've written above, because the mozilla one was
reported, then mozilla is less secure than konq. that doesn't add
up. And in fact, in my fake example above, the lack of security alert
makes konq even more of a security problem because 1) the right devs
might not know about the problem to issue a patch and 2) the public
doesn't know about the problem to avoid it until a patch comes along.

A


signature.asc
Description: Digital signature

Re: Stability issues

[Mike Robinson]

Mike Robinson wrote:
I'm almost to the point of blowing the system away and installing Etch.  
Anyone with insight would be appreciated.


Well, I've decided to throw in the towel and install Etch.  I think I'd like to 
boot with an Etch install CD, keep my partitions, but blow away the Debian Testing 
installation with Etch.  I have one large partition with all of the data I need to 
save; the rest can go away.  I've never done anything like this before, so any 
warnings/advice is welcome.


Thanks,
Mike


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: why do iceweasel et al have more frequent security issues?

[Ron Johnson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/26/07 15:52, Erik Persson wrote:
> Douglas Allan Tutty wrote:
>> It seems that the mozilla-derived browsers have security issues
>> requiring updates far more frequently than other browsers like Konqueror
>> or links2.
>>
>> I'm curious as to why this is.  Does anyone have any ideas? 
>> I'm on dialup and switched to Konq for this very reason but sometimes I
>> have a website that doesn't work and its handy to see if iceweasel will
>> view it.  (so far the only one is the adobe flashplayer test page).
>>
>> Doug.
> 
> As you can see from the other answers, nobody has a clue if the
> mozilla-based browsers are less secure than the konq or not. I haven't
> inspected the code either, so I don't have any more facts than anyone
> else. I do NOT agree with the other answers however.
> 
> If there are fewer security alerts with Konq the only reasonable
> conclusion, if you don't have strong facts pointing the other way, is
> that Konq is more secure, and that this is partly because of better
> code. The larger userbase of Firefox is very likely to generate a larger
> number of discovered security issues, but as far as I know, no one can
> tell you how many more bugs are generated per user or per extra
> programmer, and probably no one can tell you the how user base and
> security issue rate correlate more precisely. From this, the most
> reasonable conclusion is that Konq is more secure.
> Anyhow, the basic fact that there is fewer security alerts in Konq makes
> this a more secure browser, whether this maybe is because only of a
> smaller user base or not.

That's just not logical.

For example, just because people didn't know about germs in 1825
didn't mean that they didn't exist.

- --
Ron Johnson, Jr.
Jefferson LA  USA

Give a man a fish, and he eats for a day.
Hit him with a fish, and he goes away for good!

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGqQ/xS9HxQb37XmcRAmEIAJ9jYuBKgCH8UqBl/af8cTTp07s1EACgzfQI
K43lCcCEtIpwz7MUIVlmX68=
=hR9W
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Where is Lame in Sarge?

[Bob Proulx]

Hal Vaughan wrote:
> Manon Metten wrote:
> > Hal Vaughan wrote:
> > > Neither toolame or glame provide lame itself.  It's LPGL, does that
> > > create a conflict with Debian's social contract?

The mp3 encoder is patented outside of the context of the software
license for that particular program.

  http://en.wikipedia.org/wiki/MP3#Licensing_and_patent_issues

> > Before you can install lame,  you have to add this line to your
> > /etc/apt/sources.list:
> Is this fairly new?  I had never had a problem before, but I may not 
> have been trying to do anything with multimedia on Sarge before.

This has been true thoughout the history of Sarge.  And Sarge released
June 2005.  It has subsequently been replaced with Etch released April
2007.  You really should consider upgrading to Etch at least before
Lenny releases.  :-)

That depot has been moved around to various places over the last
few years.  It seems to be at a permanent home now at
www.debian-multimedia.org.

Bob


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Several GTK-apps not working anymore after update

[danteonline]

Hello there

I'm new to this submit-bugs-thing and I hope I'm not doing anything terribly 
wrong here.

I could not determine what package contains the bug, so I'm mailing to this 
list.

Problem: I updated my debian lenny/sid system today (at about 14:00 CET, 
26.07.07). 
After that update, I noticed that i couldn't launch iceweasel anymore, it gave 
me the error:



Pango-ERROR **: file pangofc-fontmap.c: line 438 (pango_fc_font_map_add): 
assertion failed: (fcfont->fontmap == NULL)
aborting...



The big problem is, that message also appears in applications like zenity. 
Other apps, like gimp, pidgin and quodlibet fail to launch after the update 
too, but they don't seem to give me any distinct error output 
but "segmentation fault".

I assumed the bug was in either libpango1.0-0 or libpango1.0-common, due to 
the fact that I only have those packages installed that contain pango in the 
name.

Reinstalling libpango1.0-common gives me the following warning:



Cleaning up font configuration of pango...
Updating font configuration of pango...
Cleaning up category xfont..
Updating category xfont..
*** You don't have any defomized font packages.
*** So we are trying to force to generate pangox.aliases...



Note: I do have defoma installed, I even reinstalled.

Any suggestions? How can I test if the packages I installed are the official 
ones and not some 3rd party ones? I chose mirror.switch.ch for the packages.

Greets, Dante


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: why do iceweasel et al have more frequent security issues?

[Erik Persson]

Douglas Allan Tutty wrote:

It seems that the mozilla-derived browsers have security issues
requiring updates far more frequently than other browsers like Konqueror
or links2.

I'm curious as to why this is.  Does anyone have any ideas?  


I'm on dialup and switched to Konq for this very reason but sometimes I
have a website that doesn't work and its handy to see if iceweasel will
view it.  (so far the only one is the adobe flashplayer test page).

Doug.


As you can see from the other answers, nobody has a clue if the 
mozilla-based browsers are less secure than the konq or not. I haven't 
inspected the code either, so I don't have any more facts than anyone 
else. I do NOT agree with the other answers however.


If there are fewer security alerts with Konq the only reasonable 
conclusion, if you don't have strong facts pointing the other way, is 
that Konq is more secure, and that this is partly because of better 
code. The larger userbase of Firefox is very likely to generate a larger 
number of discovered security issues, but as far as I know, no one can 
tell you how many more bugs are generated per user or per extra 
programmer, and probably no one can tell you the how user base and 
security issue rate correlate more precisely. From this, the most 
reasonable conclusion is that Konq is more secure.
Anyhow, the basic fact that there is fewer security alerts in Konq makes 
this a more secure browser, whether this maybe is because only of a 
smaller user base or not.


/erik


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Sarge: Lost # of failed logins

[Florian Kulzer]

On Thu, Jul 26, 2007 at 13:51:27 -0600, Bob Proulx wrote:
> Mumia W.. wrote:
> > I'm using Sarge. When I log in, I no longer get a message telling me the 
> > # of failed logins.
> > 
> > For example, if I try to login but use a wrong password, when I try 
> > again using the real password, I should see a message saying "1 failed 
> > login attempts." I no longer get that message.
> 
> I personally have never seen such a message.  You must have previously
> installed or configured something that added that functionality.

I have been using Debian for about 5 years now. As far as I remember, it
always had the "n failure(s) since last login" message (if n was greater
than zero). I never had to do anything to set it up, therefore I
unfortunately don't know exactly how it works. My best guess is that it
involves some PAM modules which parse /var/log/faillog and/or use the
"faillog" command. Maybe this link helps to track it down:

http://linux.sys-con.com/read/49058.htm

(search for "faillog" on that page)

-- 
Regards,| http://users.icfo.es/Florian.Kulzer
  Florian   |


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: resolv.conf getting overwritten

[Harvey Kelly]

Hi Steven,

No I didn't(!), so I've apt-gotten it and I'll see if
that works...

--- Steven <[EMAIL PROTECTED]> wrote:

> On Thu, 26 Jul 2007 20:07:05 +0100, Harvey Kelly
> wrote:
> 
> > No matter what, /etc/resolv.conf will get
> overwritten with
> 
> Do you have the package 'resolvconf' installed? 
> It's required by some 
> other common network packages.  I had to read the
> docs/README a few times 
> when it first showed up in Sid because it drove me
> nuts.
> 
> 
> -- 
> To UNSUBSCRIBE, email to
> [EMAIL PROTECTED] 
> with a subject of "unsubscribe". Trouble? Contact
> [EMAIL PROTECTED]
> 
> 



  ___
Yahoo! Answers - Got a question? Someone out there knows the answer. Try it
now.
http://uk.answers.yahoo.com/ 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Where is Lame in Sarge?

[Hal Vaughan]

On Thursday 26 July 2007, Manon Metten wrote:
> Hi Hal,
>
> On 7/26/07, Hal Vaughan <[EMAIL PROTECTED]> wrote:
>
> I have a server running Sarge.  I tried to find lame and got this:
> > 
> >
> > Neither toolame or glame provide lame itself.  It's LPGL, does that
> > create a conflict with Debian's social contract?
> >
> > Do I have to go out of the repositories to add lame?
>
> Before you can install lame,  you have to add this line to your
> /etc/apt/sources.list:
> deb http://www.debian-multimedia.org etch main
> (you may replace etch by stable of course).
>
> Then do an aptitude update and first install the
> debian-multimedia-keyring: aptitude install debian-multimedia-keyring
>
> Then aptitude install lame. That's all.
>
> Manon.

Is this fairly new?  I had never had a problem before, but I may not 
have been trying to do anything with multimedia on Sarge before.

I tried this, but used the line:

deb http://www.debian-multimedia.org sarge main

aptitude could not get the Packages file from that source.  I checked:

http://www.debian-multimedia.org

and there's a note to use:

deb http://mirror.home-dn.net/debian-multimedia sarge main  

instead if you're still on Sarge.  I've tried that a couple times to be 
sure, but aptitude still can't get the Packages file.  I downloaded 
debian-multimedia-keyring and installed it with dpkg.  Then when I did 
an update, there was no problem reading the Packages file.  From there, 
installing lame worked perfectly.

Thanks for the help on that!

Hal


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: laptop keyboard settings in debian etch

[Bob Proulx]

Erico wrote:
> I have installed debian etch and would like to configure a laptop us
> keyboard
> 
> how can I do that ?

  $ sudo dpkg-reconfigure xserver-xorg

> /etc/default/console-setup :
> XKBLAYOUT="es"
> or /etc/X11/xorg.conf :
> Option  "XkbLayout" "es"

That looks to be a spanish keyboard layout.

> Now when I get into gnome it says my X11 configuration is diferent then
> gnome

Do you have a ~/.[Xx]modmap* file?

Bob


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: RAID1 Boot Partition

[Bob Proulx]

Andrew Sackville-West wrote:
> Chaim Keren Tzion wrote:
> > I have been trying to set up a software RAID1 system with two 320GB SATA 
> > disks.

Sounds reasonable.  I have done this many times.

> > I have followed the instructions at both these links below (using lenny 
> > instead of etch because of what seems to be unsupported hardware in the 
> > older 
> > kernel):
> > http://ads.wars-nicht.de/blog/archives/54-Install-Debian-Etch-on-a-Software-Raid-1-with-S-ATA-disks.html
> > and
> > http://www.networkjack.info/blog/2007/01/03/debian-linux-etch-software-raid-1/
> > 
> > I had issues with both procedures.
> > 1. Both of them failed when I chose to install the "Standard system" item 
> > in 
> > the tasksel stage of the install.

What was the failure?  This may be unrelated to linux kernel software
raid.  If you have time and resources it may be useful to install a
test system without raid to verify that your hardware is otherwise
supported.  I say that since you mention that hardware support drove
you to Lenny.

> > 2. When I chose to not install the "Standard system" I
> > A) got a minimalistic system which uses lilo(yuck) as a boot loader
> 
> so install grub. (probably after the stuff below...)

The debian installer selects lilo if it does not think grub will
work.  For example if /boot is on lvm then lilo is selected.  So the
fact that the d-i selected lilo indicates to me that you have something
in your setup wrong.  In which case installing grub specifically
probably won't help and probably won't lead to a successful boot.

> > B) The RAID1 MD device that I created for the /boot partition exists but 
> > was 
> > not added to the /etc/fstab, no files were written to that device/partition 
> > and the system actually boots from the root MD device instead.
> 
> create a mount point: /newboot, mount the md0 device there, copy over
> the /boot stuff to /newboot. umount /newboot and remount it at
> /boot. manually install grub to each of the disks so that you can boot
> from either one. Fix up your /boot/grub/menu.lst so that it points to the
> right devices...

Sounds reasonable.  And the exercise would lead to a better
understanding of the process.  But if this is a fresh installation
then it might be easier and create a cleaner to do it again and figure
out what was incorrectly set up the first time.

> > 3) The second URL above uses LVM which I wouldn't have used otherwise but I 
> > was desperate to finally get the RAID to work and followed the instructions 
> > exactly. Is LVM any type of requirement for a software RAID system?
> 
> nope.

Agreed.  I always use lvm but incorrect usage can lead to problems
such as indicated by the d-i installing lilo instead of grub.

> > The system works but everything is on the root MD device.
> > Any ideas/pointers on how to do it right?
> > 1. I preffer Grub

I strongly prefer grub.

> > 2. Would like to boot off the first MD device/partition
> > 3. I preffer not using LVM
> > 4. I would like to have the "Standard system" packages install.
> 
> 4. you can rerun tasksel and pick the standard system from there.

Is "Standard System" one of the options when running tasksel again?  I
don't see it there.

  tasksel --list-tasks
  u desktop   Desktop environment
  u web-serverWeb server
  u print-server  Print server
  u dns-serverDNS server
  u file-server   File server
  u mail-server   Mail server
  u database-server   SQL database
  u laptopLaptop
  u manualmanual package selection

Bob


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: resolv.conf getting overwritten

[Davide Mancusi]

No matter what, /etc/resolv.conf will get overwritten
with 


nameserver 127.0.0.1


Are you using laptop-net (or similar packages)? It overwrites 
resolv.conf based on its internal configuration.


Davide
--
A tautology is a thing which is tautological.
--
Time flies like an arrow.  Fruit flies like a banana.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: resolv.conf getting overwritten

[Steven]

On Thu, 26 Jul 2007 20:07:05 +0100, Harvey Kelly wrote:

> No matter what, /etc/resolv.conf will get overwritten with

Do you have the package 'resolvconf' installed?  It's required by some 
other common network packages.  I had to read the docs/README a few times 
when it first showed up in Sid because it drove me nuts.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Sarge: Lost # of failed logins

[Bob Proulx]

Mumia W.. wrote:
> I'm using Sarge. When I log in, I no longer get a message telling me the 
> # of failed logins.
> 
> For example, if I try to login but use a wrong password, when I try 
> again using the real password, I should see a message saying "1 failed 
> login attempts." I no longer get that message.

I personally have never seen such a message.  You must have previously
installed or configured something that added that functionality.

> How do I get it back, and what could I have changed to make it go away 
> in the first place?

It sounds to me that this was a local configuration that you had
created previously.  Whatever you did before you would need to do
again or debug.

By the way...  Sarge is now oldstable and the new stable is Etch.
Consider upgrading.  Eventually security upgrade support for Sarge
will be dropped.

Bob


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: adduser kills sound pt. 3

[Bob Proulx]

Oleg Verych wrote:
> Rick Spillane wrote:
> > In the future, I will *not* use adduser, and I would
> > recommend that Debian have this application not be in the default path
> > or some substitute that issues a warning.

Strange.  adduser has always worked perfectly for me.

> Funny, i've discovered, how bloated adduser is yesterday, while
> developing my aggressive distro-cleaner. Now i'm thinking about
> writing patches at least for exim4 and cron to have support for
> ordinary useradd from passwd package.

It is Policy for packages to use adduser and addgroup.  Patches to
avoid using it would be a policy bug by definition and should be
rejected.

  http://www.debian.org/doc/debian-policy/ch-opersys.html#s9.2.2

Bloated?  What do you mean?  If I don't include documentation because
most people consider documentation to always be a good thing then I
only see these files.  How is adduser bloated?

  /etc/deluser.conf
  /usr/sbin/addgroup
  /usr/sbin/adduser
  /usr/sbin/delgroup
  /usr/sbin/deluser
  /usr/share/adduser/adduser.conf
  /usr/share/lintian/overrides/adduser
  /usr/share/perl5/Debian/AdduserCommon.pm

If there is a problem with adduser then it should be reported so that
it can be addressed.  The BTS does not show anything too scary.  It is
in heavy use by thousands of users.  I think that specific examples of
problems need to be shown before we can start thinking that there is a
problem with adduser.  (Although I am sure that the code could be
improved.  That is almost always true of any project.)

Bob


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: why do iceweasel et al have more frequent security issues?

[Ron Johnson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/26/07 14:01, Andrew J. Barr wrote:
> On 7/26/07, Mathias Brodala <[EMAIL PROTECTED]> wrote:
>> Hi Douglas.
>>
>> Douglas Allan Tutty, 26.07.2007 18:23:
>> > It seems that the mozilla-derived browsers have security issues
>> > requiring updates far more frequently than other browsers like
>> Konqueror
>> > or links2.
>>
>> Aside from the fact that one software really can be more secure than
>> another one
>> is this the result of an increased usage. The more people use Gecko
>> browsers,
>> the more bugs can be found willingly or unwillingly. And the more
>> people use
>> Gecko browsers, the more lucrative is it to find security holes and
>> damage
>> systems this way.
> 
> Isn't this the same argument Windows weenies use against Linux when
> their platform of choice is rightfully chastised for being a complete
> and total security nightmare?

Yes.

But it's also "more eyes makes shallower bugs".

>And most of the time, it's laughed
> off...if I'm not mistaken, because of fundamental design differences
> between Linux and Windows--e.g. in Windows the vast majority of
> software will not run correctly without administrator privileges (yes,
> even in Vista) so you have a situation equivalent to running your
> desktop environment session as root, which, if more people did,
> perhaps we'd have a similar security situation on the Linux desktop?

Except that Unix doesn't have VBA (Visual Basic for Applications),
which allows for all sorts of scripted nastiness.

But yes, running 100% as root would let bad guys install viruses
just like in Windows.

- --
Ron Johnson, Jr.
Jefferson LA  USA

Give a man a fish, and he eats for a day.
Hit him with a fish, and he goes away for good!

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGqPn1S9HxQb37XmcRAjQ+AKDIeAkQXwK3cmS+ossluMz5AMGp0gCgoCRg
AxC0vGTbGuVbR+qEXqpRgl4=
=MoUb
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Where is Lame in Sarge?

[Manon Metten]

Hi Hal,

On 7/26/07, Hal Vaughan <[EMAIL PROTECTED]> wrote:

I have a server running Sarge.  I tried to find lame and got this:




Neither toolame or glame provide lame itself.  It's LPGL, does that
create a conflict with Debian's social contract?

Do I have to go out of the repositories to add lame?




Before you can install lame,  you have to add this line to your
/etc/apt/sources.list:
deb http://www.debian-multimedia.org etch main
(you may replace etch by stable of course).

Then do an aptitude update and first install the debian-multimedia-keyring:
aptitude install debian-multimedia-keyring

Then aptitude install lame. That's all.

Manon.

Re: how to restore bios password (PHEONIX on acer 5102)

[Bob Proulx]

Andrew Sackville-West wrote:
> Jabka Atu wrote:
> > but the issue is that afaik if i open the laptop i will lose my warrenty.
> 
> ...  they have effectively stolen your laptop from you by locking
> you out of its BIOS ...

Agreed.  I have never heard of a vendor laptop or otherwise setting a
bios password and claiming that removing it would void the warranty.
I consider that completely unreasonable terms.  I would refuse those
conditions and return the unit.

Other than simply being prepared for the future what functions to you
need to modify in the bios?  I am assuming that the laptop is booting
at the moment?

Bob


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: with etch, /etc/fstab root not needed?

[Bob Proulx]

Jörg-Volker Peetz wrote:
> Bob Proulx wrote:
> > Hmm...  The stock Etch installer still creates the entry.

I think it is okay if the entry remains.  It may not be strictly
required, as you say, but not going to cause a problem.

> > I don't see an initscript that does this.  Can you point it out?  Or
> > is this something new in Sid but not Etch?
>
> I'm using testing now, but as I remember it was this way also in etch.
> The script is /etc/init.d/mountkernfs.sh

Yes.  Thanks for that pointer.  I had missed it.  That is in
'initscripts' and is therefore a standard part of all systems.  I see
by the comments:

  # Mount proc filesystem on /proc
  domount proc "" /proc proc -onodev,noexec,nosuid
  ...
  # Called before mtab is writable to mount kernel and device file systems.

It then proceeds to make use of /proc in the script.  So I can imagine
that this needed an explicit action to get through the startup
bootstrapping process.

Bob


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

resolv.conf getting overwritten

[Harvey Kelly]

Hi all,

I've seen this problem whilst looking through the
archives, but can't find a solution...

No matter what, /etc/resolv.conf will get overwritten
with 

nameserver 127.0.0.1

I added the lineprepend domain-name-servers
80.189.94.2;

in /etc/dhcp3/dhclient.conf but it's still getting
overwritten.  Any clues?

Thanks.

Harvey



  ___
Yahoo! Answers - Got a question? Someone out there knows the answer. Try it
now.
http://uk.answers.yahoo.com/ 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: why do iceweasel et al have more frequent security issues?

[Andrew J. Barr]

On 7/26/07, Mathias Brodala <[EMAIL PROTECTED]> wrote:

Hi Douglas.

Douglas Allan Tutty, 26.07.2007 18:23:
> It seems that the mozilla-derived browsers have security issues
> requiring updates far more frequently than other browsers like Konqueror
> or links2.

Aside from the fact that one software really can be more secure than another one
is this the result of an increased usage. The more people use Gecko browsers,
the more bugs can be found willingly or unwillingly. And the more people use
Gecko browsers, the more lucrative is it to find security holes and damage
systems this way.


Isn't this the same argument Windows weenies use against Linux when
their platform of choice is rightfully chastised for being a complete
and total security nightmare? And most of the time, it's laughed
off...if I'm not mistaken, because of fundamental design differences
between Linux and Windows--e.g. in Windows the vast majority of
software will not run correctly without administrator privileges (yes,
even in Vista) so you have a situation equivalent to running your
desktop environment session as root, which, if more people did,
perhaps we'd have a similar security situation on the Linux desktop?


Regards, Mathias


--
debian/rules






--
Andrew Barr

We matter more than pounds and pence,
your economic theory makes no sense...


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: why do iceweasel et al have more frequent security issues?

[Hugo Vanwoerkom]

John Hasler wrote:

Doug writes:

It seems that the mozilla-derived browsers have security issues requiring
updates far more frequently than other browsers like Konqueror or links2.


I'm curious as to why this is.  Does anyone have any ideas? 


How many people are looking for holes in Konq or Links2? 


2?


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How to generate script with Apache and run it by root avoiding to "kill" security

[Michael Pobega]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, Jul 26, 2007 at 11:18:43AM -0400, Guillermo Garron wrote:
> Hi List,
> 
> I am creating a PHP small program that will interact with MySQL and
> will have the policies for the people in my office, i.e.:
> Who can or can not access MSN messenger
> Who can or can not access WWW
> 
> etc. once this is stored, a shell script with the iptables rules
> should be created, and then run.
> 
> I do not want to run it with Apache, so I was thinking on creating a
> CRON job that will run it as root once every n minutes, but the issue
> i see here, is that if somebody "break" my Apache security he will be
> able to create any script he likes and my CRON will run it, killing my
> server security.
> 
> any better ideas about how can I achieve my goal?
> 
> thanks in advance.
> 
> best regards.
> 

Make a user specifically for this job that can access /sbin/iptables
through sudo, and make the script do just that, access iptables using
sudo and this new account.

Then make sure the bash script is owned by the new accounts, and root's
group, and chmod the script to r-xrwxr-- by doing:

chmod u+rx g+rwx o+r u-w o-wx /path/to/script

This *should* achieve what you are trying to do...It's a bit messy but
in the end it will pay off, the only way I can see this being abusable
is if someone gets access to your root account.

- -- 
http://digital-haze.net/~pobega/ - My Website
If programmers deserve to be rewarded for creating innovative
programs, by the same token they deserve to be punished if they
restrict the use of these programs. 
 - Richard Stallman
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGqO0Jg6qL2BGnx4QRAmdmAJ4yfxhGZV6T59UtqmA2rusIu0Zh8QCgpqu/
F9khOM1a4jbHkIZXTCNxCvM=
=ZK00
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: why do iceweasel et al have more frequent security issues?

[Andrew Sackville-West]

On Thu, Jul 26, 2007 at 02:06:11PM -0400, Douglas Allan Tutty wrote:
> On Thu, Jul 26, 2007 at 07:13:48PM +0200, Mathias Brodala wrote:
> > Douglas Allan Tutty, 26.07.2007 18:23:
> > > It seems that the mozilla-derived browsers have security issues
> > > requiring updates far more frequently than other browsers like Konqueror
> > > or links2.
> > 
> > Aside from the fact that one software really can be more secure than 
> > another one
> > is this the result of an increased usage. The more people use Gecko 
> > browsers,
> > the more bugs can be found willingly or unwillingly. And the more people use
> > Gecko browsers, the more lucrative is it to find security holes and damage
> > systems this way.
> 
> So this suggests that its a tradeoff: more users of Gecko means more
> people reporting bugs and therefore more bug fixes but also a more
> lucrative target for security threats; Konq may have more undiscovered
> security holes but they are undiscovered both by bug fixers and security
> threats?  
> 
> Is this the gist of the situation?

yes, but it amounts to security by obscurity... IOW, don't count on a
smaller user base to provide security simply because its a less
lucrative target... nothing prevents someone from looking for the
security holes that are surely there even if its less lucrative.

A


signature.asc
Description: Digital signature

Re: to lvm or not to lvm?

[Andrew Sackville-West]

On Thu, Jul 26, 2007 at 01:51:45PM +0300, Yuriy Padlyak wrote:
> Hi guys,
>
> No one can help me? :)
>
> Yuriy Padlyak wrote:
>> Hi again!
>>
>> Have found some time to do it all. Didn't want to reinstall everything, 
>> done everything as you suggested except /boot is still on "160GB drive"
>> without raid :-(, now I'm trying to find out how to put it on RAID :).

assuming you have two available identical partitions to use for the
RAID setup, the way *I* would _attempt_ this is to... 

1) make sure I have a grub disk available in case I blow it and can't
   boot...

2) create the RAID1 array using the two partitions.

3) migrate my /boot to that new array

4) fix up my /etc/fstab to point to it

5) fix-up my /boot/grub/menu.lst entries to point to the right devices

6) update-initramfs 

7) reboot and pray. 

this procedure was tested by me several months ago, but I don't
remember it exactly, so you are suitable warned... 

if you are already booting to a / on some combination of LVM and RAID,
then that's really the hard part. Its pretty straightforward to get
/boot onto its own RAID1. You can manually install grub onto each disk
that holds the partitions in your /boot array so that if a disk fails,
you can still boot... 

please study up on this before attempting as you don't want to blow
it.

A

oh, an alternate procedure might be to go ahead and just make a fs on
one of the partitions, migrate /boot and get that working, then make
that partition into a degraded array (missing disks) and make sure it
boots fromthere and then finally add the second (or more disks) to the
degraded array and then it will mirror and be operational.


>>
>> Does anyone have any idea how to make it safely?
>>
>> Also all file systems are in one VG now, wondering how to split them.
>>
>> Yuriy
>>
>> Douglas Allan Tutty wrote:
>>> On Fri, May 11, 2007 at 09:54:41AM +0300, Yuriy Padlyak wrote:
>>>  
 Douglas Allan Tutty wrote:

> On Sun, May 06, 2007 at 12:33:44PM +0300, Yuriy Padlyak wrote:
>  
>> Thank you for your reply. Looks like you're suggesting installation, 
>> but I have Etch 4.0 installed already. Wondering if it's possible to 
>> put existent /boot on ext3 partition and LVM volume group on RAID1. Or 
>> possibly it will be easier to reinstall and restore configuration.
>> 
> It all depends on how much extra space you have.  Its a little like a
> shell game with clear shells. If you give us your current drive(s) 
> layout including free space, and
> your goal layout, perhaps we can help you with an implementation map.
> I've totally forgotton how your drives are currently set up so I won't
> make any if,then,else suggestions.
>   Have additional hard drive, which can store any data temporary, 
> while   
 I'm preparing main disks. I have 160GB and 60GB drives. I have plan to 
 make 60GB raid1 and 100GB for not very valuable data on rest of the 
 160GB drive. Now my VG(consisting all data) is on temporary 320GB drive 
 and my /boot on ext3 partition is om 160GB.

 What I want is to put that /boot on raid1 along with very valuable data 
 from temporary drive (VG) and not very valuable data on that 100GB not 
 raid part. Everything except /boot should be on LVM.

 Hope my goal is clear now :)
 
>>>
>>> I don't have any experience setting up raid/LVM from anything other than
>>> the installer: I set it up there and haven't had to touch it.  So if it
>>> were me and I had the netinst.iso or CD-1, I would do a minimal
>>> reinstall on your two target disks and have ignore your 320 GB drive,
>>> BUT I also don't have any experience of verifying how to get a new
>>> install to find an existing LVM.  So read lots of man pages, and
>>> consider backing up your data to a tarball on either a raw device or a
>>> file on a filesystem, either way to that 320GB drive.  Either way, read
>>> the raid HOWTOs and the LVM HOWTO.
>>>
>>> Your disk layout seems good:
>>>
>>> 60 GB drive partitions:
>>> 132 MBfor raid1 md0
>>> 259968 MB for raid1 md1
>>>
>>> 160 GB drive partitions:
>>> 132 MBfor raid1 md0
>>> 259968 MBfor raid1 md1
>>> 3remainderfor LVM, VG-stripe
>>> this allows you later to add a device to this VG either
>>> to extend the size or migrate data if this drive starts
>>> to fail.
>>>
>>> Raid setup:
>>> md0filesystem/boot
>>> md1for LVMVG-mirror
>>>
>>> LVM setup:
>>> VG-mirror:
>>> LV-root384 MB/
>>> LV-usr4 GB/usr
>>> LV-var6 GB/var
>>> LV-home??/home
>>> VG-stripe:
>>> LV-??????
>>>
>>> Doug.
>>>
>>>
>>>   
>>
>>
>
>
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a 
> subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>
>

Re: [OT] Interview with Con Kolivas on Linux failures

[Andrew Sackville-West]

On Thu, Jul 26, 2007 at 05:36:43AM +, s. keeling wrote:
> Bob Proulx <[EMAIL PROTECTED]>:
> >  David Brodbeck wrote:
> > > To me it always smacked a little of "me-too-ism", too ... the GNU  
> > > folks felt Linux wasn't GNU-ish enough, so they had to go write their  
> > > own kernel.
> > 
> >  The GNU Hurd has existed long before Linux existed.  Hurd has been in
> >  development for many years.  (Hurd is technology of the future.
> 
> aka. "Vapourware"?

well, no, because it does exist. It is unfortunately developing very
slowly and has run into real problems with parts of its structure
(namely the mach microkernel) being ultimately unsuitable for
implementing some of the stuff the want to do. IIUC.

A


signature.asc
Description: Digital signature

Re: Cron and mail

[Andrew Sackville-West]

On Thu, Jul 26, 2007 at 08:33:30AM -0300, Sergio Belkin wrote:
> --- El Jue 26 Jul 2007, Marc encontró un teclado y tipeó lo siguiente: 
> > Ma: Hmmm.. one thing might be that the variable is called "MAILTO" and not
> > Ma: "MAIL"?
> > Ma: You can try with that, but in general, as the man page says:
> > Ma: "When executing commands, any output is  mailed  to  the  owner  of
> > Ma: the  crontab ..."
> > Ma:
> > Ma: Sergio Belkin wrote:
> > Ma: > Hi
> > Ma: > Non-root users are not getting information mail about scheduled
> > tasks. Ma: > I've included the line MAIL=joendoe in jondoe user. Task are
> > performed Ma: > but users are not notified.
> > Ma: >
> > Ma: > I am using Etch and exim4. What's wrong with this?
> > Ma:
> > Ma:
> 
> Thanks, "MAIL" was a typo, but even if I issue MAILTO=jondoe in jondoe user 
> crontab file, it doesn't work either...

does mail work on the system? can you mail from the command line? does
the cron job produce any output to mail? 

A


signature.asc
Description: Digital signature

Re: RAID1 Boot Partition

[Andrew Sackville-West]

On Thu, Jul 26, 2007 at 03:03:28PM +0300, Chaim Keren Tzion wrote:
> Hi,
> 
> I have been trying to set up a software RAID1 system with two 320GB SATA 
> disks.
> 
> I have followed the instructions at both these links below (using lenny 
> instead of etch because of what seems to be unsupported hardware in the older 
> kernel):
> http://ads.wars-nicht.de/blog/archives/54-Install-Debian-Etch-on-a-Software-Raid-1-with-S-ATA-disks.html
> and
> http://www.networkjack.info/blog/2007/01/03/debian-linux-etch-software-raid-1/
> 
> I had issues with both procedures.
> 1. Both of them failed when I chose to install the "Standard system" item in 
> the tasksel stage of the install.
> 
> 2. When I chose to not install the "Standard system" I
> A) got a minimalistic system which uses lilo(yuck) as a boot loader

so install grub. (probably after the stuff below...)

> B) The RAID1 MD device that I created for the /boot partition exists but was 
> not added to the /etc/fstab, no files were written to that device/partition 
> and the system actually boots from the root MD device instead.

create a mount point: /newboot, mount the md0 device there, copy over
the /boot stuff to /newboot. umount /newboot and remount it at
/boot. manually install grub to each of the disks so that you can boot
from either one. Fix up your /boot/grub/menu.lst so that it points to the
right devices...

root (hd0,0)
kernel vmlinuz... root=/dev/md1

adjust your devices accordingly

you may have to update-initramfs to ensure that the right
stuff is setup in the initramfs... 

> 
> 3) The second URL above uses LVM which I wouldn't have used otherwise but I 
> was desperate to finally get the RAID to work and followed the instructions 
> exactly. Is LVM any type of requirement for a software RAID system?

nope.

> 
> The system works but everything is on the root MD device.
> Any ideas/pointers on how to do it right?
> 1. I preffer Grub
> 2. Would like to boot off the first MD device/partition
> 3. I preffer not using LVM
> 4. I would like to have the "Standard system" packages install.

4. you can rerun tasksel and pick the standard system from there.

hth

A


signature.asc
Description: Digital signature

Re: how to restore bios password (PHEONIX on acer 5102)

[Andrew Sackville-West]

On Thu, Jul 26, 2007 at 02:15:31PM +0200, Jabka Atu wrote:
> Thnx ,.
> but the issue is that afaik if i open the laptop i will lose my warrenty.
> what about flashing it ?
> (btw how do they know).

take it back to them and demand they fix it while you stand there and
watch. How do you know they haven't installed from cracked bios? or
some other crap that doesn't belong? I would demand nothing less than
satisfaction because they have effectively stolen your laptop from you
by locking you out of its BIOS, something which is fundamentally yours
and not theirs. 

as to the warranty thing, well, if they aren't answering the phone or
otherwise providing you the service you require (which is removing the
password they installed without your permission) then what makes
you think you'll get future warranty service? 

A

>
>
>
> On 7/26/07, Raj Kiran Grandhi <[EMAIL PROTECTED]> wrote:
>>
>> Jabka Atu wrote:
>> > Dear Debian list members,
>> >
>> >
>> > im sorry to ask such strange question here but still.
>> >
>> > i ve sent my laptop to local custumer servrice and they add a bios
>> > password on it.
>> >
>> Does you laptop contain a switch to clear the CMOS? Some laptops have
>> such a switch under the keyboard or bottom of the laptop using which you
>> might be able to clear the CMOS memory entirely and restore it to
>> factory default. Otherwise, if it is possible to access the CMOS
>> battery, try removing the CMOS battery and the laptop battery leave it
>> for some time, say 30minutes, and put them back in.
>>


signature.asc
Description: Digital signature

Re: How Debian BTS and its tools can be improved (user poll).

[Andrew Sackville-West]

On Thu, Jul 26, 2007 at 03:34:58PM +, Oleg Verych wrote:
> What, on your opinion, can be done better in Debian BTS, reportbug?

1)I agree with kamaraju (sp?) that submitter should be automatically
subscribed to the bug, or even better, given the option to subscribe
from within reportbug at submittal time. 


2)also, I'd love to see a final option to change the From: address in
reportbug as various times I've been an idiot and completed a whole
report not realising that I had a bogus From:... but I can get pretty
stupid sometimes...

> 
> Why do you think it's better than current approach (if exists)?

1)it places the burden of subcribing on the submitter, but makes it
dead-stupid easy to subscribe (you could bypass any confirmation email
etc...) and takes work load of keeping track of CC's off the
maintainer. 

2) theres already a stupid_mode in the code, so why not more of the
   same? ;)

> 
> What can you do to help with that?

I don't know, maybe hack reportbug to include this option, but I
haven't looked at it closely. 

> 
> 
> Some related contex:
>   ~~
> 

heh. I like that one...

A


signature.asc
Description: Digital signature

Re: How to generate script with Apache and run it by root avoiding to "kill" security

[Andrew Sackville-West]

On Thu, Jul 26, 2007 at 11:18:43AM -0400, Guillermo Garron wrote:
> Hi List,
> 
> I am creating a PHP small program that will interact with MySQL and
> will have the policies for the people in my office, i.e.:
> Who can or can not access MSN messenger
> Who can or can not access WWW
> 
> etc. once this is stored, a shell script with the iptables rules
> should be created, and then run.
> 
> I do not want to run it with Apache, so I was thinking on creating a
> CRON job that will run it as root once every n minutes, but the issue
> i see here, is that if somebody "break" my Apache security he will be
> able to create any script he likes and my CRON will run it, killing my
> server security.
> 
> any better ideas about how can I achieve my goal?

I don't see how you could possibly create a publicly available
interface to change something as fundamental as your firewall and have
it _not_ be a security risk. 

maybe you could create a user that only has permissions to run one
script and that one script is only allowed to change your firewall
rules in specific ways, but even so I think you're asking for trouble.

and take that all with appropriate salt as I am no security expert, it
just seems kind of obvious to me...

A


signature.asc
Description: Digital signature

Re: what is this in tcpdump?

[Andrew Sackville-West]

On Thu, Jul 26, 2007 at 06:17:40PM +0200, Nigel Henry wrote:
> On Thursday 26 July 2007 00:47, Andrew Sackville-West wrote:
> > I get a lot of these in my tcpdump on my machine:
> >
> > 15:45:47.427003 IP basement.ipp > 192.168.1.31.ipp: UDP, length 129
> > 15:45:48.427004 IP basement.ipp > 192.168.1.31.ipp: UDP, length 167
> >
> > 192.168.1.31 is my broadcast address, and basement is me. They usually
> >   come in pairs like this, though sometimes split up by other
> >   traffic. Always, though, its one of length 129 and one of
> >   167
> >
> > A
> 
> Hi Andrew. It looks like these are just broadcasts from your print server. 
> The 
> difference in packet size seems to indicate that you have 2 printers. I have 
> 2 broadcasts every 30 secs. One is 189bytes, and the other 190bytes. I only 
> have one printer. Printer1 on the Wireshark output attached should not be 
> there, and will have to look into that, and get rid of the duplicated entry.


hmmm... maybe my fax printer is shared too...

thanks

A


signature.asc
Description: Digital signature

Re: adduser kills sound pt. 3

[Andrew Sackville-West]

On Wed, Jul 25, 2007 at 09:46:15PM -0400, Rick Spillane wrote:
> OK. So I investigated what statoverride is, and its a list of names
> that can be used to install packages under. I checked
> /var/lib/dpkg/statoverride, and it seems as though there is indeed a
> name 'root' in there, thus doubling my confusion. My guess is that the
> there was once a root group in /etc/group, however it is no longer
> there (I checked). Could someone post an /etc/group so I can try to
> piece back together my /etc/group? I think this is the core of my
> problems.

I think it might be better, next time, if you post your part 2's and
part 3' as replies to the original thread...

okay. Its a little confusing, but it sounds like you are using some
gui interface to add users but its crashing, right? I would think that
could definitely corrupt your /etc/group as there is usually a group
created for each user... I recommend you _not_ use a gui to add users
and instead use adduser from the cli. Also you should probably scan
the bugs of the gui you've been using and see if you problem has been
reported or not and whether the corrupting of /etc/group is included
in such a reprot, if it exists. If there is no report, then probably
you should make one. 

There could be other problems... if the group file is corrupted, some
of the other user related files may be corrupted as well... such as
your /etc/passwd or /etc/shadow... I recommend you don't reboot until
you've verified that those files are okay...

finally, here is my /etc/group if it helps...

I'm not sure whether you should just recreate it in an editor or
actually use one of the tools like addgroup to recreate it. and I
surely have things you don't have and vice versa

A


cat /etc/group

root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:cupsys
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:andrew,cupsys
fax:x:21:
voice:x:22:
cdrom:x:24:andrew
floppy:x:25:
tape:x:26:
sudo:x:27:
audio:x:29:andrew
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:andrew
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:andrew
sasl:x:45:
plugdev:x:46:
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
crontab:x:101:
Debian-exim:x:102:
ssh:x:103:
andrew:x:1000:
lpadmin:x:104:andrew
messagebus:x:105:
powerdev:x:107:
camera:x:108:
scanner:x:109:cupsys
saned:x:110:
haldaemon:x:106:
ntpd:x:111:
stb-admin:x:112:
avahi:x:113:
netdev:x:114:
vde2-net:x:115:


signature.asc
Description: Digital signature

Re: Cron and mail

[Andrew Sackville-West]

On Wed, Jul 25, 2007 at 11:00:36PM -0300, Sergio Belkin wrote:
> Hi
> Non-root users are not getting information mail about scheduled tasks.
> I've included the line MAIL=joendoe in jondoe user. Task are performed
> but users are not notified.
>
> I am using Etch and exim4. What's wrong with this?

per

man 5 crontab

you should use MAILTO=jondoe not MAIL

A


signature.asc
Description: Digital signature

Re: what is this in tcpdump?

[Andrew Sackville-West]

On Wed, Jul 25, 2007 at 04:23:27PM -0700, David Brodbeck wrote:
>
> On Jul 25, 2007, at 3:47 PM, Andrew Sackville-West wrote:
>
>> I get a lot of these in my tcpdump on my machine:
>>
>> 15:45:47.427003 IP basement.ipp > 192.168.1.31.ipp: UDP, length 129
>> 15:45:48.427004 IP basement.ipp > 192.168.1.31.ipp: UDP, length 167
>>
>> 192.168.1.31 is my broadcast address, and basement is me. They usually
>>   come in pairs like this, though sometimes split up by other
>>   traffic. Always, though, its one of length 129 and one of
>>   167
>
> IPP is Internet Printing Protocol.  My guess is CUPS is probably set to 
> broadcast to other systems so they can automatically discover printers.


doh. thanks. I knew it was something like that... 

I had some spurious net traffic today on my local machine which has a
couple ports forwarded to it. I had the torrent ports still open from
downloading an RMS talk the other day, and it was causing all sorts of
activity. The short of it is, I ended up watching my tcpdump for a
while and... well, you start to freak out about stuff...

A


signature.asc
Description: Digital signature

Re: How to generate script with Apache and run it by root avoiding to "kill" security

[Mumia W..]

On 07/26/2007 10:18 AM, Guillermo Garron wrote:

Hi List,

I am creating a PHP small program that will interact with MySQL and
will have the policies for the people in my office, i.e.:
Who can or can not access MSN messenger
Who can or can not access WWW

etc. once this is stored, a shell script with the iptables rules
should be created, and then run.

I do not want to run it with Apache, so I was thinking on creating a
CRON job that will run it as root once every n minutes, but the issue
i see here, is that if somebody "break" my Apache security he will be
able to create any script he likes and my CRON will run it, killing my
server security.

any better ideas about how can I achieve my goal?

thanks in advance.

best regards.



It depends upon how simple the iptables rules are meant to be; however, 
you can let the web script write a list of port numbers to disk, and the 
cron-job could take that list, validate it, and convert it to a list of 
iptables rules.


The validation done by the cron-job would be the key security effort.

HTH


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How Debian BTS and its tools can be improved (user poll).

[Joey Hess]

Kamaraju S Kusumanchi wrote:
> 1) In http://www.debian.org/Bugs/ , I would like to see an option to search
> just within the title of the bug reports.

In my experience, the titles of bug reports are often useless.

There is, however, a full-text search of the BTS available here:
http://merkel.debian.org/~don/cgi/search.cgi

> 2) If I report a bug, I would automatically like to be subscribed to it so
> that I receive all the future communications. Currently let's say I report
> a bug. Then if the maintainer replies only to the bug report, I have no way
> of knowing about it unless I manually subscribe to that bug number.
> Manually subscribing to each bug report you submit is tiresome.

I agree.

> 3) If I report a bug, I want to see it immediately in bugs.debian.org and
> not after some 20 minutes delay. (that's way it works with other bug
> reporting systems, ex:- kde, gcc bug reporting systems)

Well, it used to be an average of a 15 minute delay. Now the average is
2 minutes.

-- 
see shy jo


signature.asc
Description: Digital signature

Re: why do iceweasel et al have more frequent security issues?

[Mathias Brodala]

Hi Douglas.

Douglas Allan Tutty, 26.07.2007 20:06:
> On Thu, Jul 26, 2007 at 07:13:48PM +0200, Mathias Brodala wrote:
>> Douglas Allan Tutty, 26.07.2007 18:23:
>>> It seems that the mozilla-derived browsers have security issues
>>> requiring updates far more frequently than other browsers like Konqueror
>>> or links2.
>> Aside from the fact that one software really can be more secure than another 
>> one
>> is this the result of an increased usage. The more people use Gecko browsers,
>> the more bugs can be found willingly or unwillingly. And the more people use
>> Gecko browsers, the more lucrative is it to find security holes and damage
>> systems this way.
> 
> So this suggests that its a tradeoff: more users of Gecko means more
> people reporting bugs and therefore more bug fixes but also a more
> lucrative target for security threats; Konq may have more undiscovered
> security holes but they are undiscovered both by bug fixers and security
> threats?  
> 
> Is this the gist of the situation?

Basically, yes.


Regards, Mathias

-- 
debian/rules



signature.asc
Description: OpenPGP digital signature

Re: why do iceweasel et al have more frequent security issues?

[Douglas Allan Tutty]

On Thu, Jul 26, 2007 at 07:13:48PM +0200, Mathias Brodala wrote:
> Douglas Allan Tutty, 26.07.2007 18:23:
> > It seems that the mozilla-derived browsers have security issues
> > requiring updates far more frequently than other browsers like Konqueror
> > or links2.
> 
> Aside from the fact that one software really can be more secure than another 
> one
> is this the result of an increased usage. The more people use Gecko browsers,
> the more bugs can be found willingly or unwillingly. And the more people use
> Gecko browsers, the more lucrative is it to find security holes and damage
> systems this way.

So this suggests that its a tradeoff: more users of Gecko means more
people reporting bugs and therefore more bug fixes but also a more
lucrative target for security threats; Konq may have more undiscovered
security holes but they are undiscovered both by bug fixers and security
threats?  

Is this the gist of the situation?

Doug.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: why do iceweasel et al have more frequent security issues?

[Mathias Brodala]

Hi Douglas.

Douglas Allan Tutty, 26.07.2007 18:23:
> It seems that the mozilla-derived browsers have security issues
> requiring updates far more frequently than other browsers like Konqueror
> or links2.

Aside from the fact that one software really can be more secure than another one
is this the result of an increased usage. The more people use Gecko browsers,
the more bugs can be found willingly or unwillingly. And the more people use
Gecko browsers, the more lucrative is it to find security holes and damage
systems this way.


Regards, Mathias


-- 
debian/rules



signature.asc
Description: OpenPGP digital signature

Re: [Solved] XKB broken

[Celejar]

On Thu, 26 Jul 2007 02:52:15 -0400
I wrote:

[snipped lots of hair pulling over my mysterious and unreproducible broken xkb 
system]

Solved !!!

/var was full.  I thought I had told aptitude to remove obsolete
packages from the cache, but the option was somehow unselected.
'aptitude auto-clean' freed about 1.6 GB.  I seem to remember seeing
somewhere that a full var can cause strange problems; I've learned the
hard way, and I don't think I'll forget this too quickly.

I found, by googling for the "bad length in CompatMap" message, the
answer on a thread on a German forum [0], and very helpfully translated
by Google, too.

Thanks, Florian.

[0] http://www.linuxforen.de/forums/showthread.php?t=210862

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Where is Lame in Sarge?

[Hal Vaughan]

I have a server running Sarge.  I tried to find lame and got this:

[EMAIL PROTECTED]:root]$ aptitude show lame
Package: lame
State: not a real package

This was after trying to install it just by the name "lame."  Then I did 
this:

[EMAIL PROTECTED]:root]$ aptitude search lame
p  flamethrower - Multicast file distribution utility
c  glame - versatile audio processor
v  lame -
p  systemimager-server-flamethrowerd - SystemImager boot binaries for
 i386 client nodes
p   toolame - MPEG-1 layer 2 audio encoder

(Extra spaces removed.)

Neither toolame or glame provide lame itself.  It's LPGL, does that 
create a conflict with Debian's social contract?

Do I have to go out of the repositories to add lame?

Thanks!

Hal


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: why do iceweasel et al have more frequent security issues?

[John Hasler]

Doug writes:
> It seems that the mozilla-derived browsers have security issues requiring
> updates far more frequently than other browsers like Konqueror or links2.

> I'm curious as to why this is.  Does anyone have any ideas? 

How many people are looking for holes in Konq or Links2? 
-- 
John Hasler


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How Debian BTS and its tools can be improved (user poll).

[Kamaraju S Kusumanchi]

> What, on your opinion, can be done better in Debian BTS, reportbug?
> 
> Why do you think it's better than current approach (if exists)?
> 
> What can you do to help with that?
> 

1) In http://www.debian.org/Bugs/ , I would like to see an option to search
just within the title of the bug reports.

2) If I report a bug, I would automatically like to be subscribed to it so
that I receive all the future communications. Currently let's say I report
a bug. Then if the maintainer replies only to the bug report, I have no way
of knowing about it unless I manually subscribe to that bug number.
Manually subscribing to each bug report you submit is tiresome.

3) If I report a bug, I want to see it immediately in bugs.debian.org and
not after some 20 minutes delay. (that's way it works with other bug
reporting systems, ex:- kde, gcc bug reporting systems)

Those are my only complaints. Otherwise BTS is just great.

raju

-- 
Kamaraju S Kusumanchi
http://www.people.cornell.edu/pages/kk288/
http://malayamaarutham.blogspot.com/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

why do iceweasel et al have more frequent security issues?

[Douglas Allan Tutty]

It seems that the mozilla-derived browsers have security issues
requiring updates far more frequently than other browsers like Konqueror
or links2.

I'm curious as to why this is.  Does anyone have any ideas?  

I'm on dialup and switched to Konq for this very reason but sometimes I
have a website that doesn't work and its handy to see if iceweasel will
view it.  (so far the only one is the adobe flashplayer test page).

Doug.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: what is this in tcpdump?

[Nigel Henry]

On Thursday 26 July 2007 00:47, Andrew Sackville-West wrote:
> I get a lot of these in my tcpdump on my machine:
>
> 15:45:47.427003 IP basement.ipp > 192.168.1.31.ipp: UDP, length 129
> 15:45:48.427004 IP basement.ipp > 192.168.1.31.ipp: UDP, length 167
>
> 192.168.1.31 is my broadcast address, and basement is me. They usually
>   come in pairs like this, though sometimes split up by other
>   traffic. Always, though, its one of length 129 and one of
>   167
>
> A

Hi Andrew. It looks like these are just broadcasts from your print server. The 
difference in packet size seems to indicate that you have 2 printers. I have 
2 broadcasts every 30 secs. One is 189bytes, and the other 190bytes. I only 
have one printer. Printer1 on the Wireshark output attached should not be 
there, and will have to look into that, and get rid of the duplicated entry.

I have a bunch of distros that run on the machine that has the printer 
physically attached to it, and even more distros on the other machine that is 
using network printing. I've  obviously misconfigured something somewhere, 
which is very easy to do.

See attachment below.

Nigel.


Wireshark-capture-20070726
Description: Binary data

How Debian BTS and its tools can be improved (user poll).

[Oleg Verych]

What, on your opinion, can be done better in Debian BTS, reportbug?

Why do you think it's better than current approach (if exists)?

What can you do to help with that?


Some related contex:
  ~~



#420361


#422085
__
 Thanks.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: ML-320 compatible dot-matrix printer

[Douglas Allan Tutty]

On Thu, Jul 12, 2007 at 10:33:03PM -0400, Douglas Allan Tutty wrote:
>
>I have an Origional IBM Personal Computer Graphics Printer.  I know from
>previous installations that the only way I found to get it to print
>postscript was with the gs-esp ML-320 driver.
>
>However, I've always used lprng since its seems like overkill to bring
>in all of cups.  On my last box, where I got it to work, I ended up with
>foomatic-printfilters (which brings in a lot of the cups stuff) and used
>the foomatic GUI to set it up with lprng.
>
>Does anyone using lprng know of an easier/simpler way to get things
>working?
>
>My hesitation on cups is twofold:  the large amount of downloading over
>slow dialup; and I'm unclear on the politics of the openprinting.org
>movement.  The latter seems to be driven by one company.
> 

Thanks all for your suggestions.  I found that in Etch, the standard
gs-gpl okiibm driver works great with apsfilter.  Tell apsfilter quality
high, mono and I get 120x144 very nicely.  I don't know why this didn't
work under Sarge.  The printer uses a paralell interface and is located
beside my PII computer that I use as an ssh client box.  The PII only
has an 850 MB drive so to save disk space, I'm using plain old lpd
instead of lprng.

Doug.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

How to generate script with Apache and run it by root avoiding to "kill" security

[Guillermo Garron]

Hi List,

I am creating a PHP small program that will interact with MySQL and
will have the policies for the people in my office, i.e.:
Who can or can not access MSN messenger
Who can or can not access WWW

etc. once this is stored, a shell script with the iptables rules
should be created, and then run.

I do not want to run it with Apache, so I was thinking on creating a
CRON job that will run it as root once every n minutes, but the issue
i see here, is that if somebody "break" my Apache security he will be
able to create any script he likes and my CRON will run it, killing my
server security.

any better ideas about how can I achieve my goal?

thanks in advance.

best regards.

-- 
Guillermo Garron
"Linux IS user friendly... It's just selective about who its friends are."
(Using F7, CentOS5, Ubuntu 7.40, Debian Etch and Mandriva 2007 Spring)
http://www.go2linux.org


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Getting wake-on-lan to work in Etch

[Oleg Verych]

* Raj Kiran Grandhi (2007-07-26):

>> > I am trying to get "wake on lan" to work in Etch. I have a motherboard
>> > with an onboard NIC which supports wake-on-lan. I have enabled
>> > wake-on-lan in the bios. When I poweroff the computer during POST, I am
>> > able to remotely wake it, but if I shut it down from Etch, power to the
>> > NIC is also being turned off and wake-on-lan does not work. I have
>> > edited '/etc/init.d/halt' and removed the '-i' option from the 'halt'
>> > command, but the NIC is still being powered down.
>>
>> Try to add this line in your /etc/network/interfaces :
>>   post-down ethtool -s eth0 wol g
>>
>> It tells your nic to prepare to be woken up, so perhaps it will not power 
>> off.
>>
>> Install ethtool if you don't have it.
>>
> ethtool did the trick! Thanks a lot. Only, I had to add that line as a
> script in the /etc/network/if-up.d directory.

It turned out to be 3d hit in google "linux wake on lan". While it's
gentoo wiki, hardware<->kernel thing is the same: there's nothing
interesting in bios?kernel?acpi?userspace dance.

Anyway beware of acpi reboot/poweroff problems and how they are awkward.




Also some drivers are not wol ready in 2.6.18:





-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Debian x IBM X3500

[Márcio Luciano Donada]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Somebody has debian etch twirling in serving IBM X3500? How door? E
with ServerRAID controller? Everything ok?

[1]. http://www.ibm.com/br/systems/x/tower/x3500/index.phtml

Thnx!!!

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)
 
iD8DBQFGqKgPbjyCr4Ixg0wRAuQwAJ9GNUVMCZeXuBj0HgEDbGYuLwszlgCeMERu
eUAGum9IBqVex9YIfkjvl7k=
=nMSG
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

laptop keyboard settings in debian etch

[Erico]

I have installed debian etch and would like to configure a laptop us
keyboard

how can I do that ?

I've searched and found that this could be done in

/etc/default/console-setup :

XKBMODEL=""
XKBLAYOUT="es"
XKBVARIANT="nodeadkeys"
XKBOPTIONS="lv3:ralt_switch"

or /etc/X11/xorg.conf :

Section"InputDevice"
Identifier  "Generic Keyboard"
Driver  "kbd"
Option  "CoreKeyboard"
Option  "XkbRules"  "xorg"
Option  "XkbModel"  ""
Option  "XkbLayout" "es"
Option  "XkbVariant""nodeadkeys"

Now when I get into gnome it says my X11 configuration is diferent then
gnome

Re: RAID1 Boot Partition

[Márcio Luciano Donada]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Chaim Keren Tzion escreveu:
> Hi,
>
> I have been trying to set up a software RAID1 system with two 320GB
> SATA disks.
>
> I have followed the instructions at both these links below (using
> lenny instead of etch because of what seems to be unsupported
> hardware in the older kernel):
> http://ads.wars-nicht.de/blog/archives/54-Install-Debian-Etch-on-a-Software-Raid-1-with-S-ATA-disks.html
>  and
> http://www.networkjack.info/blog/2007/01/03/debian-linux-etch-software-raid-1/
>
>
> I had issues with both procedures. 1. Both of them failed when I
> chose to install the "Standard system" item in the tasksel stage of
> the install.
>
> 2. When I chose to not install the "Standard system" I A) got a
> minimalistic system which uses lilo(yuck) as a boot loader B) The
> RAID1 MD device that I created for the /boot partition exists but
> was not added to the /etc/fstab, no files were written to that
> device/partition and the system actually boots from the root MD
> device instead.
>
> 3) The second URL above uses LVM which I wouldn't have used
> otherwise but I was desperate to finally get the RAID to work and
> followed the instructions exactly. Is LVM any type of requirement
> for a software RAID system?
>
> The system works but everything is on the root MD device. Any
> ideas/pointers on how to do it right? 1. I preffer Grub 2. Would
> like to boot off the first MD device/partition 3. I preffer not
> using LVM 4. I would like to have the "Standard system" packages
> install.
>
>

Hi,
Sincerely, I do not want more to know of RAID-1 saw software, I had
many problems, mainly because of boot that in the truth never the
record existed in both. In a server in production, valley to buy a
controller raid and only to stop to lose time with this type of thing.


thx,
Márcio
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)
 
iD8DBQFGqJdpbjyCr4Ixg0wRAq8GAKCRt6KGDU6rMihIF8csW9odcHYLGQCgpbWv
5fX6ZgBX4c/kT2UpKJCO6c4=
=uK34
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Server for a Bibliography (eg. pubmed.gov)

[Lorenzo Bettini]

Hi

for the moment phpbibliography simply outputs html pages; a programmer 
provided me with some code to output rss (which I'll include in the next 
release).


I'll have to take a look at pubmed.com

if you have suggestions about other formats I can work on that feature.

Lorenzo

Mathieu Malaterre wrote:

Let say I go on pubmed.com and check:

http://www.ncbi.nlm.nih.gov/sites/entrez?Db=pubmed&Cmd=ShowDetailView&TermToSearch=17623889&ordinalpos=1&itool=EntrezSystem2.PEntrez.Pubmed.Pubmed_ResultsPanel.Pubmed_RVMedline 



Which output format does phpbibliography supports (MEDLINE, 
AbstractPlus, XML) ?


Thanks
-Mathieu

On 7/20/07, Lorenzo Bettini <[EMAIL PROTECTED]> wrote:

Mathieu Malaterre wrote:
> Hello,
>
>  I am looking for a tool just like pubmed.gov. Ideally it should
> support one of the export format of pubmed.gov, or quickly upload a
> pdf file of a scientific article.
>
> Thanks,

This one I made it :-)

http://phpbibliography.sourceforge.net/



--
Lorenzo Bettini, PhD in Computer Science, DSI, Univ. di Firenze
ICQ# lbetto, 16080134 (GNU/Linux User # 158233)
HOME: http://www.lorenzobettini.it MUSIC: http://www.purplesucker.com
BLOGS: http://tronprog.blogspot.com  http://longlivemusic.blogspot.com
http://www.gnu.org/software/src-highlite
http://www.gnu.org/software/gengetopt
http://www.gnu.org/software/gengen http://doublecpp.sourceforge.net


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: icedove 2 uses a lot of bandwidth

[Lorenzo Bettini]

Matthew K Poer wrote:

On Saturday 07 July 2007 4:12 am, Lorenzo Bettini wrote:

Hi

I like the new features of icedove 2 (thunderbird), but when I'm using a
56k modem, I noticed that it uses a lot of bandwidth (especially upon
the first get messages of the day); I'm using only IMAP.

I think this is due to the fact that it builds a summary (the one shown
in the right bottom corner of the screen) of the new arrived emails by
inspecting all the IMAP folders.

Is there a way to disable this feature?  I couldn't find it in the
preferences...

thanks in advance
Lorenzo



I found the solution to disable the popup summary (and thus save a lot 
of bandwidth)!


it's in Preferences -> General -> When new messages arrive

I documented it also here: 
http://tronprog.blogspot.com/2007/07/thunderbird-2-summary-popup.html


--
Lorenzo Bettini, PhD in Computer Science, DSI, Univ. di Firenze
ICQ# lbetto, 16080134 (GNU/Linux User # 158233)
HOME: http://www.lorenzobettini.it MUSIC: http://www.purplesucker.com
BLOGS: http://tronprog.blogspot.com  http://longlivemusic.blogspot.com
http://www.gnu.org/software/src-highlite
http://www.gnu.org/software/gengetopt
http://www.gnu.org/software/gengen http://doublecpp.sourceforge.net


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: how to restore bios password (PHEONIX on acer 5102)

[Jabka Atu]

Thnx ,.
but the issue is that afaik if i open the laptop i will lose my warrenty.
what about flashing it ?
(btw how do they know).



On 7/26/07, Raj Kiran Grandhi <[EMAIL PROTECTED]> wrote:


Jabka Atu wrote:
> Dear Debian list members,
>
>
> im sorry to ask such strange question here but still.
>
> i ve sent my laptop to local custumer servrice and they add a bios
> password on it.
>
Does you laptop contain a switch to clear the CMOS? Some laptops have
such a switch under the keyboard or bottom of the laptop using which you
might be able to clear the CMOS memory entirely and restore it to
factory default. Otherwise, if it is possible to access the CMOS
battery, try removing the CMOS battery and the laptop battery leave it
for some time, say 30minutes, and put them back in.